Re: Antw: [EXT] Re: Accpetance of Environment Variables in Attributes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Ulrich Windl wrote on 26/06/2020 10:43:
>>>> Roman Odaisky <roma@xxxxxxxxxxx> schrieb am 25.06.2020 um 14:35 in
> Nachricht
> <2175_1593088566_5EF49A35_2175_217_1_5367023.DvuYhMxLoT@xps>:
>>>  [Service]
>>> User=nobody
>>
>> May I interject that DynamicUser=yes is generally superior to User=nobody.
> 
> And I always thought the user is named nobody, because no process ever using
> it (as UID to run with)...
> Using it may have unwanted security implications.

Could be wrong, but I think it's more to do with running *multiple*
unrelated services as nobody. They could, in theory, mess with each
other in some cases (deleting each others temporary files, sockets etc).
 So one dodgy/vulnerable "nobody" service could then interfere with a
more robust "nobody" service just because they are running as the same user.

Running as different users can avoid that vector.

Col


-- 

Colin Guthrie
gmane(at)colin.guthr.ie
http://colin.guthr.ie/

Day Job:
  Tribalogic Limited http://www.tribalogic.net/
Open Source:
  Mageia Contributor http://www.mageia.org/
  PulseAudio Hacker http://www.pulseaudio.org/
  Trac Hacker http://trac.edgewall.org/

_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux