MAJOR hole in 5.0

Henning Rohde Rohde.Henning at
Fri Sep 26 12:43:42 PDT 2003

Hash: SHA1


Am Freitag, 26. September 2003 21:07 schrieb Dagmar d'Surreal:
> On Fri, 2003-09-26 at 09:36, Daniel Roethlisberger wrote:
> > Some people suggested that the user 'nobody' does not need to be there.
> > I believe that is not true for some/most systems. The user 'nobody' is
> > traditionally a non-priviledged user which owns no files (running
> > Apache as 'nobody' is abuse of the rationale behind it, and thus
> > considered harmful). Some daemons default to using 'nobody' when
> > dropping priviledges in order to do unpriviledged work.
> Name some.  Everything recent and sane does not, and even old code tends
> to be configurable.  Most folks figured out that having more than one
> thing using the nobody role account was a bad idea in the early 90's.

Does anyone still use NFS?
Is there anyone who remembers the mysterious user "nfs-nobody"???

"nobody" is commonly the user, that gets assigned to files root (=uid0) 
writes on some NFS-mount, that has been exported without the option 

This is IMHO at least one valid reasons for this user to exist in any 
default installation, even for some firewall, where nfs should never be 
used on.
Another could be openSSH, I think I remember it needing this user for 
PrivilegeSeparation, but I could be wrong.

Just my 2 cents of EUR,

Version: GnuPG v1.2.3 (GNU/Linux)


More information about the lfs-security mailing list