Re: Unprivileged default user for "tiny" daemons?

Reply: Yuri : "Re: Unprivileged default user for "tiny" daemons?"
Reply: Felix Palmen : "Re: Unprivileged default user for "tiny" daemons?"
In reply to: Felix Palmen : "Re: Unprivileged default user for "tiny" daemons?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Brooks Davis <brooks_at_freebsd.org>
Date: Tue, 09 May 2023 08:11:04 UTC

On Tue, May 09, 2023 at 10:05:15AM +0200, Felix Palmen wrote:
> * Felix Palmen <zirias@FreeBSD.org> [20230508 18:39]:
> > I tend to think now that 'daemon' should really be the way to go when
> > you don't need a dedicated account. Am I overlooking something? Any
> > other comments?
> 
> Seems I overlooked something indeed:
> 
> #v+
> $ find [14-jail] \( -user daemon -or -group daemon \)
> [14-jail]/usr/sbin/lpc
> [14-jail]/usr/bin/lprm
> [14-jail]/usr/bin/lpr
> [14-jail]/usr/bin/lpq
> [14-jail]/var/rwho
> [14-jail]/var/spool/mqueue
> [14-jail]/var/spool/lpd
> [14-jail]/var/spool/output
> [14-jail]/var/spool/output/lpd
> [14-jail]/var/spool/opielocks
> [14-jail]/var/at/jobs
> [14-jail]/var/at/spool
> [14-jail]/var/msgs
> #v-
> 
> So, daemon owns e.g. the print spool...
> 
> Interestingly, ou even find something owned by nobody in base:
> 
> #v+
> -rw-r--r--  1 nobody  wheel  0 Jul  8  2021 /var/db/locate.database
> #v-

This seems like a bug.

> 
> So, takeaway is: There is no safe choice other than allocating a
> dedicated UID for every single daemon, even if it doesn't need to
> own/access any files? Is this really correct?

This is clearly the right choice even it's a bit of a pain.

-- Brooks



> 
> Cheers, Felix
> 
> -- 
>  Felix Palmen <zirias@FreeBSD.org>     {private}   felix@palmen-it.de
>  -- ports committer (mentee) --            {web}  http://palmen-it.de
>  {pgp public key}  http://palmen-it.de/pub.txt
>  {pgp fingerprint} 6936 13D5 5BBF 4837 B212  3ACC 54AD E006 9879 F231