|
General software and network General OS-independent software and network questions, X11, MTA, routing, etc. |
|
Thread Tools | Display Modes |
|
|||
Taking this one step further, many consider running applications through a system account to be more secure (by further limiting resource access...) than simply running an application as root (which can access everything...). Access separation is considered a good thing, & logging into such accounts is not necessary.
|
|
||||
Imagine you have a small server application running. You can run it as root, some user with login shell, or some user without login shell.
Your server application gets hit with a buffer overflow attack (for example, it could get hit with any range of other attacks as well). The attack's payload is set to insert an ssh key into $HOME/.ssh/authorized_keys, meaning the attacker can then ssh to the host machine without a password. As root, the attacker just compromised the entire machine. As normal user, the attacker can login then launch priv. escalation attacks to gain root. As user w/nologin, the attacker is stuck out in the cold. Make sense?
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. Last edited by rocket357; 30th June 2011 at 03:19 PM. |
|
||||
Example application -- a database engine. The administrative userid is typically NOT root, but is postgresql, or mysql, or whatever. On OpenBSD, these system userids typically start with underscore, such as _postgresql. The startup scripts will use sudo or su to bring up the associated daemons, such as:
Code:
su -l _postgresql -c "nohup /usr/local/bin/pg_ctl start \ -D /var/postgresql/data -l /var/postgresql/logfile \ -o '-D /var/postgresql/data' >/dev/null" |
|
|||
Not enough explanations or examples, keep going.
|
|
||||
Greetings to all!
Ocicat, "www" and "nobody" are system users? I thought that www was a service and nobody someone trying to break into my system. Can you please show me an example of how you will use "www" and "nobody" to do something useful. Thanks |
|
|||
Look at the output of the following commands on OpenBSD:
Code:
$ cat /etc/passwd | grep www www:*:67:67:HTTP Server:/var/www:/sbin/nologin $ cat /etc/passwd | grep nobody nobody:*32767:32767:Unpriviledged user for NFS:/nonexistent:/sbin/nologin $ Quote:
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Managing multi platform accounts | bsdperson | FreeBSD General | 1 | 27th August 2010 11:46 AM |
Create MS/XP file system so it will be recognized on a XP system. | FBSD | Guides | 0 | 1st May 2010 06:49 AM |
Can't passwd on all accounts anymore | ck2323 | FreeBSD General | 1 | 7th October 2009 03:28 AM |
Is there a purpose for using pf if you have a hardware router/firewall? | guitarscn | OpenBSD Security | 9 | 23rd January 2009 12:22 AM |
New Accounts Unable to Authenticate | cmdba | FreeBSD General | 4 | 26th May 2008 01:48 AM |