Subject: Re: CVS commit: src/etc
To: Jim Wise <firstname.lastname@example.org>
From: Peter Postma <email@example.com>
Date: 04/06/2005 18:33:03
On Wed, Apr 06, 2005 at 11:20:58AM -0400, Jim Wise wrote:
> >Log Message:
> >Add _pflogd group.
> Is there any reason this group cannot be simply `pflogd'? We don't have
> any other groups with _ in their name...
The idea is to prefix new system-users/groups with an _, so that they are
in their own namespace.
> More generally, what does _pflogd have access to that prevents it from
> being subsumed into, e.g. `daemon'?
None. If pflogd(8) gets compromised then no-one can do anything with it
because _pflogd has no special privileges and no other program is using the
user/group. daemon, however, is used by other programs, so when one of
them gets compromised, the others might be easy/easier to compromise too.
This maybe sounds like OpenBSD paranoia, but I think it's reasonable to