NFS tools

Dagmar d'Surreal dagmar.wants at nospam.com
Sat Mar 13 22:40:08 PST 2004


On Sat, 2004-03-13 at 23:40, Reinhard wrote:

> > The "nobody" role account is frequently overused.  When you've got more
> > than one thing using it, it becomes impossible to determine which daemon
> > did what to your filesystem (as an example) after the fact.  If the
> > system has role accounts set up for each special purpose daemon, you can
> > tell which bits belong to what at runtime, as well as apply restrictions
> > to them on a per-service basis.
> 
> Thank you Dagmar for mention it. That's quite a different question. 
> Based on that - it makes sense to create a different user for each daemon.
> I thought nfs-tools are not the only rpc-services, so not a big difference to 
> using nobody.

Since netfilter supports looking up the owner of sockets, you can also
get a lot pickier about what uids/gids get network access, too.  :)

Possible applications for this that come to mind are forcing shell users
to use the system's configured resolver and/or proxy servers to prevent
them from say, spamming or horizontal scanning for remote server
exploits without you getting a big log of it.
-- 
The email address above is phony because my penis is already large enough, kthx. 
              AIM: evilDagmar  Jabber: evilDagmar at jabber.org




More information about the blfs-dev mailing list