dagmar.wants at nospam.com
Sat Mar 13 22:40:08 PST 2004
On Sat, 2004-03-13 at 23:40, Reinhard wrote:
> > The "nobody" role account is frequently overused. When you've got more
> > than one thing using it, it becomes impossible to determine which daemon
> > did what to your filesystem (as an example) after the fact. If the
> > system has role accounts set up for each special purpose daemon, you can
> > tell which bits belong to what at runtime, as well as apply restrictions
> > to them on a per-service basis.
> Thank you Dagmar for mention it. That's quite a different question.
> Based on that - it makes sense to create a different user for each daemon.
> I thought nfs-tools are not the only rpc-services, so not a big difference to
> using nobody.
Since netfilter supports looking up the owner of sockets, you can also
get a lot pickier about what uids/gids get network access, too. :)
Possible applications for this that come to mind are forcing shell users
to use the system's configured resolver and/or proxy servers to prevent
them from say, spamming or horizontal scanning for remote server
exploits without you getting a big log of it.
The email address above is phony because my penis is already large enough, kthx.
AIM: evilDagmar Jabber: evilDagmar at jabber.org
More information about the blfs-dev