Subject: Re: CVS commit: src/etc
To: Jim Wise <>
From: Peter Postma <>
List: tech-userlevel
Date: 04/06/2005 18:33:03
On Wed, Apr 06, 2005 at 11:20:58AM -0400, Jim Wise wrote:
> >Log Message:
> >Add _pflogd group.
> Is there any reason this group cannot be simply `pflogd'?  We don't have 
> any other groups with _ in their name...

The idea is to prefix new system-users/groups with an _, so that they are
in their own namespace.

> More generally, what does _pflogd have access to that prevents it from 
> being subsumed into, e.g. `daemon'?

None. If pflogd(8) gets compromised then no-one can do anything with it
because _pflogd has no special privileges and no other program is using the
user/group. daemon, however, is used by other programs, so when one of
them gets compromised, the others might be easy/easier to compromise too.

This maybe sounds like OpenBSD paranoia, but I think it's reasonable to
follow this.

Peter Postma