[opensuse-factory] Own user but "nogroup" as group?
Hi, we have quite some packages, which create an own user, but use "nogroup" as group. In my opinion this defeats the purpose of having an own user for a daemon: avoid that an attacker can access other things if we manage to hack a daemon. Since we additional create an own group, at least if you use the sysusers.d config file and do not call useradd, I'm in favour of removing all this nogroup usages, including that the user nobody is a member of this group. Opinions? Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Felix Imendoerffer (HRB 36809, AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Friday 2020-04-17 13:36, Thorsten Kukuk wrote:
we have quite some packages, which create an own user, but use "nogroup" as group. In my opinion this defeats the purpose of having an own user for a daemon: avoid that an attacker can access other things if we manage to hack a daemon.
Since we additional create an own group, at least if you use the sysusers.d config file and do not call useradd, I'm in favour of removing all this nogroup usages, including that the user nobody is a member of this group.
"nobody" and "nogroup" are used by NFS in some circumstances; so the passdb entries for these two should always exist -- but not much else indeed. The membership could certain go away, as should services' use of the nobody entity for use as a process's (e)uid. There might be some cron jobs that historically were run with nobody.. worth having a cursory look if that is still relevant. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, Apr 17, Jan Engelhardt wrote:
On Friday 2020-04-17 13:36, Thorsten Kukuk wrote:
we have quite some packages, which create an own user, but use "nogroup" as group. In my opinion this defeats the purpose of having an own user for a daemon: avoid that an attacker can access other things if we manage to hack a daemon.
Since we additional create an own group, at least if you use the sysusers.d config file and do not call useradd, I'm in favour of removing all this nogroup usages, including that the user nobody is a member of this group.
"nobody" and "nogroup" are used by NFS in some circumstances; so the passdb entries for these two should always exist -- but not much else indeed. The membership could certain go away, as should services' use of the nobody entity for use as a process's (e)uid.
"nogroup" is not really used for NFS, that's nobody:nobody. "nogroup" is a historical mistake by us and workaround to fix the old mistake, but should not be needed anymore, at least not for fresh installations. Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Felix Imendoerffer (HRB 36809, AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 17/04/2020 13.51, Thorsten Kukuk wrote:
On Fri, Apr 17, Jan Engelhardt wrote:
"nobody" and "nogroup" are used by NFS in some circumstances; so the passdb entries for these two should always exist -- but not much else indeed. The membership could certain go away, as should services' use of the nobody entity for use as a process's (e)uid.
"nogroup" is not really used for NFS, that's nobody:nobody. "nogroup" is a historical mistake by us and workaround to fix the old mistake, but should not be needed anymore, at least not for fresh installations.
Is this explained somewhere? So that we can check and correct old installations, if needed. -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)
participants (3)
-
Carlos E. R.
-
Jan Engelhardt
-
Thorsten Kukuk