[arch-general] [arch-dev-public] adding http user/group to filesystems

[Jan de Groot]

On Sun, 2008-06-22 at 18:36 +0200, Arvid Ephraim Picciani wrote:
> > > Why not just use nobody for programs that need their own user, as a sane
> > > default. Any smart admin should create any groups and users himself when
> > > necessairy. And prevents cluttering of unnecessairy users/groups. For
> > > example in my httpd setups, the http users would never be used.
> > >
> > > IMO.
> > >
> > > Glenn
> >
> > Using nobody for each and every service makes the nobody user unsafe to
> > use. As soon as one of your daemons is compromised, all of them are
> > compromised also because they share the same user.
> 
> before a specific point in arch history we used to tell people that making a 
> system "secure" and "easy" is the job of a sysadmin.  
> 
> For people who like a default "security" without rtfm, there is always debian.
> 
> Arch doesnt need any scripts. If you're bored and don't know what to do with 
> your free time i suggest either fixing one of the gazillion bugs in the 
> debian easy-out-of-the-box install scripts or plaing chess. You can waste 
> hours with that without giving us a big time headache when fixing the crap 
> your automatic installers do.

Bad system design is something else than leaving people on their own to
secure things. These user accounts own files. Do you think it's sane to
tell users to chown the files back to the user they assigned to it on
every package upgrade? Pacman takes backups of configuration files, but
doesn't preserve ownership on a package upgrade.