On Sun, 2008-06-22 at 18:04 +0200, RedShift wrote: > Pierre Schmitz wrote: > > Hi, > > > > as mentioned in the apache thread I would like to use a dedicated user/group > > for our different webserver packages. To achieve this I'd like to add the > > user/group http to our filesystem package. (It allready contains them for > > mail and ftp) > > > > According to > > http://wiki.archlinux.org/index.php/DeveloperWiki:UID_/_GID_Database uid/gid > > 33 should be free for use. > > > > An install script to add those for upgraders have to be added, too. > > > > Another approach would be adding an install script creating those groups to > > the webserver packages. > > > > What do you think is best? > > > > Pierre > > Why not just use nobody for programs that need their own user, as a sane default. Any smart admin should create any groups and users himself when necessairy. And prevents cluttering of unnecessairy users/groups. For example in my httpd setups, the http users would never be used. > > IMO. > > Glenn > Using nobody for each and every service makes the nobody user unsafe to use. As soon as one of your daemons is compromised, all of them are compromised also because they share the same user.
