Subject: Re: CVS commit: src/etc
To: Jim Wise <jwise@draga.com>
From: Peter Postma <peter@pointless.nl>
List: tech-userlevel
Date: 04/06/2005 19:06:37
On Wed, Apr 06, 2005 at 12:37:52PM -0400, Jim Wise wrote:
> On Wed, 6 Apr 2005, Peter Postma wrote:
> >The idea is to prefix new system-users/groups with an _, so that they are
> >in their own namespace.
>
> Really? Whose idea? Where was this discussed? What other groups have
> we ever introduced this way?
>
> Please change this group name to pflogd.
>
It was discussed for the _pflogd user somewhere in september 2004 and I got
approval from core to add the user and group. I'd rather not rename it
because then we will be incompatible with FreeBSD/OpenBSD.
> >>> More generally, what does _pflogd have access to that prevents it from
> >> being subsumed into, e.g. `daemon'?
> >>
> >
> >None. If pflogd(8) gets compromised then no-one can do anything with it
> >because _pflogd has no special privileges and no other program is using the
> >user/group. daemon, however, is used by other programs, so when one of
> >them gets compromised, the others might be easy/easier to compromise too.
> >
> >This maybe sounds like OpenBSD paranoia, but I think it's reasonable to
> >follow this.
>
> If the goal is to ensure that someone who compromises pflogd does not
> get access to useful services, it should run as nobody or as daemon.
>
There are tons of programs running under nobody or daemon. This just
reduces the window of vulnerability if one service gets compromised.
> I do _not_ think it makes sense to have one group per possible service a
> host might run -- if we go that, /etc/group will grow very long indeed.
>
Yes, but I don't see why that would be a problem.
> Let's not just cargo-cult over `security' practices when importing
> software, _please_.
>
You might not think this improves security, but I think it does.
And why should we do this different than OpenBSD? Their pflogd(8) has
been developed in a way to reduce potentional security issues, why
should we ignore that?
--
Peter Postma