MAJOR hole in 5.0

Henning Rohde Rohde.Henning at gmx.net
Fri Sep 26 12:43:42 PDT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Am Freitag, 26. September 2003 21:07 schrieb Dagmar d'Surreal:
> On Fri, 2003-09-26 at 09:36, Daniel Roethlisberger wrote:
> > Some people suggested that the user 'nobody' does not need to be there.
> > I believe that is not true for some/most systems. The user 'nobody' is
> > traditionally a non-priviledged user which owns no files (running
> > Apache as 'nobody' is abuse of the rationale behind it, and thus
> > considered harmful). Some daemons default to using 'nobody' when
> > dropping priviledges in order to do unpriviledged work.
>
> Name some.  Everything recent and sane does not, and even old code tends
> to be configurable.  Most folks figured out that having more than one
> thing using the nobody role account was a bad idea in the early 90's.

<irony>
Does anyone still use NFS?
Is there anyone who remembers the mysterious user "nfs-nobody"???
</irony>

"nobody" is commonly the user, that gets assigned to files root (=uid0) 
writes on some NFS-mount, that has been exported without the option 
"no_root_squash".

This is IMHO at least one valid reasons for this user to exist in any 
default installation, even for some firewall, where nfs should never be 
used on.
Another could be openSSH, I think I remember it needing this user for 
PrivilegeSeparation, but I could be wrong.


Just my 2 cents of EUR,

	Henning
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/dJb1uI8iUC+SACIRAgGgAKDD702KaZzlyEg2UEcoa3zYpZGE5gCfZrYH
UW/vwkHw+zL1ueMWpYraWmA=
=QuKO
-----END PGP SIGNATURE-----




More information about the lfs-security mailing list