MAJOR hole in 5.0

Dagmar d'Surreal dagmar.wants at nospam.com
Fri Sep 26 15:10:21 PDT 2003


On Fri, 2003-09-26 at 14:43, Henning Rohde wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> Am Freitag, 26. September 2003 21:07 schrieb Dagmar d'Surreal:
> > On Fri, 2003-09-26 at 09:36, Daniel Roethlisberger wrote:
> > > Some people suggested that the user 'nobody' does not need to be there.
> > > I believe that is not true for some/most systems. The user 'nobody' is
> > > traditionally a non-priviledged user which owns no files (running
> > > Apache as 'nobody' is abuse of the rationale behind it, and thus
> > > considered harmful). Some daemons default to using 'nobody' when
> > > dropping priviledges in order to do unpriviledged work.
> >
> > Name some.  Everything recent and sane does not, and even old code tends
> > to be configurable.  Most folks figured out that having more than one
> > thing using the nobody role account was a bad idea in the early 90's.
> 
> <irony>
> Does anyone still use NFS?
> Is there anyone who remembers the mysterious user "nfs-nobody"???
> </irony>
> 
> "nobody" is commonly the user, that gets assigned to files root (=uid0) 
> writes on some NFS-mount, that has been exported without the option 
> "no_root_squash".
> 
> This is IMHO at least one valid reasons for this user to exist in any 
> default installation, even for some firewall, where nfs should never be 
> used on.

This would be the place where you would absolutely NOT want it.

> Another could be openSSH, I think I remember it needing this user for 
> PrivilegeSeparation, but I could be wrong.

You would be wrong.
-- 
The email address above is phony because the people making archives of list
traffic publicly available on the web aren't taking measures to protect the
email addresses from filthy spammers.  
              AIM: evilDagmar  Jabber: evilDagmar at jabber.org




More information about the lfs-security mailing list