On Mon, 26 Feb 1996 01:33:48 -0500 
 David Mazieres <dm@amsterdam.lcs.mit.edu> wrote:

> > ident           stream  tcp     wait    nobody.kmem /usr/libexec/identd ide
ntd -w -t60 -e -N
> 
> Isn't nobody.kmem an incredibly bad idea?  Nobody is supposed to be
> the least privileged UID.  Potentially many users can run arbitrary
> cgi-bin scripts or whatever as nobody.  And yet now you let any such
> user read /dev/kmem by ptracing identd.
> 
> I think root would actually be much safer than nobody.kmem.  If you
> don't trust the ident code enough to run as root, than at least chose
> any other uid EXCEPT nobody.
> 
I'm more worried about attacks from outside the machine than attacks from
indide the machine, in such an instance what we have is correct.


Neil.


--  
Neil J. McRae                                 DNS: Domino Network Services
neil@domino.org         NetBSD/sparc: 100% SpF (Solaris protection Factor)   
  Free the daemon in your computer!