Re: unprivledged users (for a service)
- From: Matthew Seaman <m.seaman@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 16 Aug 2011 14:31:34 +0100
On 15/08/2011 17:42, Chuck Swiger wrote:
On Aug 15, 2011, at 9:37 AM, Chris Brennan wrote:
It's been a while since I've had to do this and the drive that contained
all of my notes is dead, along with the backup (I was actually lucky to
recover my home drive before it also failed but my notes were not
there). I cannot for the life of me remember how to properly add an
unprivledged user that will only be used for running a specific system
service. So it doesn't need a login shell or $HOME.
Add a user and set the shell to /bin/false or perhaps /sbin/nologin; for $HOME set it to /var/empty or /tmp, perhaps.
Good advice, except... for this sort of user that exists solely to run
various processes, generally it is preferable for them *not* to be able
to write to their home directory. Especially if the software concerned
is exposed to the internet.
The reasoning here is that if there is, say, a buffer overflow attack
against your software, then an attacker can remotely inject and run
various sorts of shell-code exploits. If they can change arbitrary
files in the accounts home directory, then they can relatively simply
get a login shell.
So, /tmp not a good idea. / is actually a pretty good choice, and
similarly /var/empty (which is specifically designed for this sort of
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew@xxxxxxxxxxxxxxxxxxxxxx Kent, CT11 9PW
Description: OpenPGP digital signature
- Prev by Date: Re: issue on installing FreeBSD-8.2 release i386
- Next by Date: Getting __errno_location when loading Perl XS module on FreeBSD
- Previous by thread: Re: unprivledged users (for a service)
- Next by thread: looking for a spammer/virii/malware .... on my system