Subject: Re: CVS commit: src/etc
To: Jim Wise <email@example.com>
From: Peter Postma <firstname.lastname@example.org>
Date: 04/06/2005 19:06:37
On Wed, Apr 06, 2005 at 12:37:52PM -0400, Jim Wise wrote:
> On Wed, 6 Apr 2005, Peter Postma wrote:
> >The idea is to prefix new system-users/groups with an _, so that they are
> >in their own namespace.
> Really? Whose idea? Where was this discussed? What other groups have
> we ever introduced this way?
> Please change this group name to pflogd.
It was discussed for the _pflogd user somewhere in september 2004 and I got
approval from core to add the user and group. I'd rather not rename it
because then we will be incompatible with FreeBSD/OpenBSD.
> >>> More generally, what does _pflogd have access to that prevents it from
> >> being subsumed into, e.g. `daemon'?
> >None. If pflogd(8) gets compromised then no-one can do anything with it
> >because _pflogd has no special privileges and no other program is using the
> >user/group. daemon, however, is used by other programs, so when one of
> >them gets compromised, the others might be easy/easier to compromise too.
> >This maybe sounds like OpenBSD paranoia, but I think it's reasonable to
> >follow this.
> If the goal is to ensure that someone who compromises pflogd does not
> get access to useful services, it should run as nobody or as daemon.
There are tons of programs running under nobody or daemon. This just
reduces the window of vulnerability if one service gets compromised.
> I do _not_ think it makes sense to have one group per possible service a
> host might run -- if we go that, /etc/group will grow very long indeed.
Yes, but I don't see why that would be a problem.
> Let's not just cargo-cult over `security' practices when importing
> software, _please_.
You might not think this improves security, but I think it does.
And why should we do this different than OpenBSD? Their pflogd(8) has
been developed in a way to reduce potentional security issues, why
should we ignore that?