Subject: Re: CVS commit: src/etc
To: Peter Postma <peter@pointless.nl>
From: Jim Wise <jwise@draga.com>
List: tech-userlevel
Date: 04/06/2005 12:37:52
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 6 Apr 2005, Peter Postma wrote:

>On Wed, Apr 06, 2005 at 11:20:58AM -0400, Jim Wise wrote:
>> >Log Message:
>> >Add _pflogd group.
>> 
>> Is there any reason this group cannot be simply `pflogd'?  We don't have 
>> any other groups with _ in their name...
>> 
>
>The idea is to prefix new system-users/groups with an _, so that they are
>in their own namespace.

Really?  Whose idea?  Where was this discussed?  What other groups have 
we ever introduced this way?

Please change this group name to pflogd.


>>> More generally, what does _pflogd have access to that prevents it from 
>> being subsumed into, e.g. `daemon'?
>>
>
>None. If pflogd(8) gets compromised then no-one can do anything with it
>because _pflogd has no special privileges and no other program is using the
>user/group. daemon, however, is used by other programs, so when one of
>them gets compromised, the others might be easy/easier to compromise too.
>
>This maybe sounds like OpenBSD paranoia, but I think it's reasonable to
>follow this.

If the goal is to ensure that someone who compromises pflogd does not 
get access to useful services, it should run as nobody or as daemon.

I do _not_ think it makes sense to have one group per possible service a 
host might run -- if we go that, /etc/group will grow very long indeed.

Let's not just cargo-cult over `security' practices when importing 
software, _please_.

- -- 
				Jim Wise
				jwise@draga.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (NetBSD)

iD8DBQFCVBBkpRpI6SYACmIRAnI8AJwJPo+blq+4LCAppIddylr0G7NzKgCgone9
R0JZZdAWrTt0IYNNBAhOG6U=
=abpO
-----END PGP SIGNATURE-----