Usercreation-policy
Enrico Scholz
enrico.scholz at informatik.tu-chemnitz.de
Wed Sep 24 20:06:12 UTC 2003
johnsonm at redhat.com ("Michael K. Johnson") writes:
>> > I think too, that most daemons need both a dedicated user and a
>> > dedicated group.
> ...
> Actually, I'd like to point forward to SELinux for a possible solution.
> With SELinux, you can generally separate them effectively without having
> different users/groups.
IMO, this is not a very good solution since:
* people without SELinux kernels will get a very unsecure system, since
their system would have lots of daemons which are running with the
same uid
* within a SELinux context, you can need several helper-daemons
(e.g. identd, or a monitoring-daemon) which would run with the
same uid like the main-daemon and could access this daemon itself
(kill(2), ptrace(2)) or its files.
Enrico
More information about the devel
mailing list