On 15 January 2018 at 15:37, Adam Williamson <adamwill@xxxxxxxxxxxxxxxxx> wrote: > On Mon, 2018-01-15 at 10:53 -0500, Steve Dickson wrote: > >> Googling 'linux nobody uid' it appears nobody is a uid used by apps >> that don't want to run as root. In case they got hacked the would >> not have root privileges, but with SElinux around I think that >> problem has been solve. > > This seems a bit hand-wavy to me. We believe in many layers of security > and good practices at every level, yes? Just running things as root and > trusting SELinux to restrict their privileges seems like a very airy- > fairy way of operating, if that's what you're suggesting. > He was going off of some things from 1999/2000 I remembered (probably poorly). Back then a lot of daemons and tools would run as the user nobody versus running as specific users like apache. In some cases this was hard coded into apps. (what si the default daemon user ? oh nobody). The other problem was that in NFS heavy environments this was a security problem because if you broke out of named, you had the same rights as every other nobody app.. which some NFS servers would allow to read access (if not write access). So having nobody not running as the nfs nobody was a security measure to stop bind/httpd servers from serving /etc/shadow on a diskless environment or other weird items. The nfs nobody wasn't listed in /etc/passwd for a long time because it was considered a reserved not used port. Until bug reports built up about places using it or getting confused because the ldap nobody was 6553x but the 99 was nobody. So nfsnobody was put in to fix that problem. So he is going over why nfsnobody and nobody were put into the system and why they are different in Red Hat Linux versus debian/etc. Those decisions were made before selinux so the original reasons may not make sense. > I'm fairly sure *lots* of daemons in Fedora still drop root privileges > early in operation, and this is still widely considered to be good > practice. Quite a few have their own unprivileged account to use for > this purpose (which is also used to own files they need access to, > etc.), but some may still run as 'nobody'. If this could be affected by > the Change, it should probably be looked into... > -- > Adam Williamson > Fedora QA Community Monkey > IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net > http://www.happyassassin.net > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx -- Stephen J Smoogen. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
