On Mon, Jun 18, 2007 at 07:53:17PM +0200, Klaus Ethgen wrote: > Hello Bill, > > Am Mo den 18. Jun 2007 um 17:53 schrieb Bill Allombert: > > It is not the case on Debian by default: > > nobody:*:65534:65534:nobody:/nonexistent:/bin/sh > > That's true but it is not as save as I wanna have it on my systems. (All > system users on my system have /bin/sh if no special reason give other.) > > > Furthermore the point of user nobody is to be able to run process > > that have no file access permission outside 'other' (since no files are > > owned by user or group nobody). If you preclude it from running > > programs, then this user is useless. If nobody does not have a default > > shell, every usage of 'su nobody' must hard-code a shell instead of > > following /etc/passwd. This is generally a bad thing. Only root can 'su > > nobody' anyway. > > That is incorrect. If you have to call something as nobody you know the > shell where it has to run under. Also I never ever want a normal user to > su to nobody at all! Moreover nobody has ever to run a interactive shell > as user nobody! So there is no need for a shell for this user. It is > only a security problem IF the user nobody has a shell and a server like > i.e. the webserver has a security flaw when running code as user nobody > the attacker has a shell for free (Sure with no home but there is other > places where also nobody can write to)! So never give nobody a shell.
What is you attack model ? So the server has a security flaw and run as user nobody. If the attacker can run arbitrary code as user nobody, why cannot they just exec /bin/sh ? Where does that make a difference ? If this is indeed a security flaw, we should fix Debian not just popcon. Cheers, Bill. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
