[arch-general] [arch-dev-public] adding http user/group to filesystems
Jan de Groot
jan at jgc.homeip.net
Sun Jun 22 12:20:40 EDT 2008
On Sun, 2008-06-22 at 18:04 +0200, RedShift wrote:
> Pierre Schmitz wrote:
> > Hi,
> >
> > as mentioned in the apache thread I would like to use a dedicated user/group
> > for our different webserver packages. To achieve this I'd like to add the
> > user/group http to our filesystem package. (It allready contains them for
> > mail and ftp)
> >
> > According to
> > http://wiki.archlinux.org/index.php/DeveloperWiki:UID_/_GID_Database uid/gid
> > 33 should be free for use.
> >
> > An install script to add those for upgraders have to be added, too.
> >
> > Another approach would be adding an install script creating those groups to
> > the webserver packages.
> >
> > What do you think is best?
> >
> > Pierre
>
> Why not just use nobody for programs that need their own user, as a sane default. Any smart admin should create any groups and users himself when necessairy. And prevents cluttering of unnecessairy users/groups. For example in my httpd setups, the http users would never be used.
>
> IMO.
>
> Glenn
>
Using nobody for each and every service makes the nobody user unsafe to
use. As soon as one of your daemons is compromised, all of them are
compromised also because they share the same user.
More information about the arch-general
mailing list