Re: unprivledged users (for a service)



On 15/08/2011 17:42, Chuck Swiger wrote:
On Aug 15, 2011, at 9:37 AM, Chris Brennan wrote:
It's been a while since I've had to do this and the drive that contained
all of my notes is dead, along with the backup (I was actually lucky to
recover my home drive before it also failed but my notes were not
there). I cannot for the life of me remember how to properly add an
unprivledged user that will only be used for running a specific system
service. So it doesn't need a login shell or $HOME.

Add a user and set the shell to /bin/false or perhaps /sbin/nologin; for $HOME set it to /var/empty or /tmp, perhaps.

Good advice, except... for this sort of user that exists solely to run
various processes, generally it is preferable for them *not* to be able
to write to their home directory. Especially if the software concerned
is exposed to the internet.

The reasoning here is that if there is, say, a buffer overflow attack
against your software, then an attacker can remotely inject and run
various sorts of shell-code exploits. If they can change arbitrary
files in the accounts home directory, then they can relatively simply
get a login shell.

So, /tmp not a good idea. / is actually a pretty good choice, and
similarly /var/empty (which is specifically designed for this sort of
thing.)

Cheers,

Matthew

--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew@xxxxxxxxxxxxxxxxxxxxxx Kent, CT11 9PW

Attachment: signature.asc
Description: OpenPGP digital signature



Relevant Pages

  • Re: RH9: CTRL+MouseCLICK no longer making it to Mozilla
    ... >> Unfortunately I guess I will have to do that, but that's sort of like ... >> rebooting to see if the problem will go away rather than ... directories in my home directory so the system would create fresh ones ...
    (comp.os.linux.x)
  • Re: Is there a Linux "file-safe" for Fedoras home file..?
    ... I think he's asking for a file vault of some sort ... where you can maintain your own home directory as encrypted separate ... FYI - fuse encfs will do this - but, like all things fuse, its ...
    (Fedora)
  • Re: Screwed-up desktop in Gutsy
    ... I just loaded Gutsy on my computer. ... All of the files and directories in my home directory appear on the ... LOL that is how I ... sort of a dirty solution to the ...
    (Ubuntu)
  • Re: C-shell login script
    ... It's fine for a login shell if you like that sort of ... Have you tried ksh? ... For scripting I always explicitly use bourne or perl ...
    (comp.os.linux.setup)
  • Re: ERRATA : interactive and login shells: bug or design decision ?
    ... > under a login shell. ... Firing off a ... background task should not welcome you to the system, ... That sort of stuff should only be done when ...
    (SSH)