Re: System-users and-groups?
- From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
- Date: Wed, 10 May 2006 20:56:07 -0500
On 10 May 2006, in the Usenet newsgroup alt.linux, in article
<1147249054.587946.197370@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, Koppe wrote:
Moe Trin wrote:
I haven't seen such a recommendation in a long time.
But you have? Where?
Specific? No. Generalities - my guess was that it was in a college course
on operating systems. Added to that is experience - not only with *nix,
but also with Novell Netware back in the early 1990s.
Was sort of toying with the idea of rolling my own distro... maybe.
There are a number of LDP Guides to consult (example: "linux-from-scratch")
as well as the Linux Standard Base documents.
(right around the time the tower gives a flock of pigs clearing from
runway one-niner at JFK International...)
Given the current designations of the runways there as 4L/R, 13L/R
22L/R and 31L/R (I used to drive aeroplains on the side-job), that may
take some time for the magnetic pole to move enough (or the Port Authority to
pull their fingers out and build another runway parallel to the existing
taxiway 'Z' - which was to be "runway V" in the original 1942 design for
Idlewild airport that was renamed JFK in 1963). However, please consult
RFC1925 Section 2, Truth (3), which states:
(3) With sufficient thrust, pigs fly just fine. However, this is
not necessarily a good idea. It is hard to be sure where they
are going to land, and it could be dangerous sitting under them
as they fly overhead.
have you looked at the size of that task?
Not necessery *that* hard of a task. Changing
group for everything under bin/sbin to bin shouldn't
change too much... even changing the owner to
bin shouldn't do so much. Then I could just look
for files set UID and/or GID and set suitable owner
and/or group for them.
[compton ~]$ find / -perm +6000 -exec ls -ld {} \; 2> /dev/null | wc -l
58
[compton ~]$
Of course all system have more users and groups, but
I (am sure I) read somewhere that the only users and
groups you *had to* have -- wheter it was in accordance
to some standard or some kernel internal I don't know --
was root and bin... obviously such a system wouldn't
be sufficiantly compartmentlize to be very secure.
Well, you _could_ have everything under one user (root), but that doesn't
make it a good idea. I suspect you would find it beneficial to have more
than two users - where you are effectively granting other users greater
access - it's a granularity type of thing.
My point is, that with all the *other* users and groups,
name and ID # can be chosen (more) freely... root and
bin have fixed ID #s.
Root (or the BSD alternative 'toor') has to be "0" because the UID is
what is checked, not the username. "bin"? I dunno - not on this system.
Use the 'find' command looking for -user UID and then -group GID. On this
system, I find
0 root Lots
1 bin yes /usr/sbin/arpwatch
2 daemon yes /var/spool/at/
9 news yes
The following MAY own files when running:
14 ftp, 99 nobody
For groups, 'root', 'bin', 'daemon', 'sys', 'tty', 'disk', 'lp', 'kmem',
'mail', 'news', 'uucp', 'man', 'floppy', 'games', and 'ftp' have files,
but only 13 files are SGID, and most of those are about printing.
But still there seem to by many users and groups that
seems to do nothing... so why put them there? Surely
they're supposed to do *something*.
Some of it is likely 'tradition' - they're there if you need them. An example
are group uucp owning the modem, and group man owning /var/catman/*.
I would think it would be desirable to run various system-processes
(daemons) with as low privliges as possible, and to otherwise restrict
access as much as possible.
That is in general what is done.
Yet almost all runs as root...
Most running _as_ root (as opposed to running _by_ root) do so because
they need to do things - [x]identd - listening to ports, and starting
other daemons, etc. Others like kflushd or kswapd run as root because they
need access to the system hardware. crond has to be able to become other
users when forking their jobs. That's a reason for user 'nobody'.
But maybe some experienced user... maybe root's non-root alter-ego...
This user could then add, remove and change permission
for *simple* commands (there still are a few commands
that have to be manually copied into place).
That's the purpose of 'su|sudo|asroot' and so on. But despite (or because
of) 30 plus years of experience, we're still finding 'gotcha' stuff on a
regular basis. There is no such thing as a "simple" command.
Besides, if two people is locked *alone* in an empthy room
and one of them end-up being murdered, it's not really a
mystery who did it.
A good lawyer might be able to prove otherwise. Then again...
Likewise if root allow one other to get near-root priviliges and the
system suddenly ends-up toasted while root wasn't using it.
That's why we don't give out the 'root' password, and all su and sudo
events are logged to a teleprinter. I've got about 1400 users, maybe
50 of which have su or sudo accounts. Does stuff happen? Sure. Wanna
guess how long it takes to restore a 9 Gig server partition that is used
as NFS mounts for user home directories? About 4 hours. How do I know?
Well, someone was removing old home directories of departed interns, and
made a minor typo... she doesn't work here any more, but that's because
she decided the pressure was to great. She wasn't fired. (A couple users
lost about 3 hours worth of work, and were MOST unhappy, but they're only
users.)
Old guy
.
- References:
- Re: System-users and-groups?
- From: Koppe
- Re: System-users and-groups?
- Prev by Date: latest ati drier and 2.6.16 on amd64 COMPILE ERROR
- Next by Date: HELP PLEASE :-(
- Previous by thread: Re: System-users and-groups?
- Next by thread: latest ati drier and 2.6.16 on amd64 COMPILE ERROR
- Index(es):
Relevant Pages
|
