l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
September 2: Social gathering
Next Installfest:
TBD
Latest News:
Aug. 18: Discounts to "Velocity" in NY; come to tonight's "Photography" talk
Page last updated:
2006 Jun 24 11:17

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Purpose of "nobody" user?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Purpose of "nobody" user?



   the "insane" UID (65534) is -2, where 0 can
be thought of as 00000 and -1 is one less,
which in CPU registers is all 1 values, i.e.
65535 and -2 is one less than -1, i.e.
65535 - 1 = 65534
   I forget the user name for -1 and here the
nobody user name has -2 for a UID (that's
what 65534 is in 16-bit land).
   There's one big shop I know of that uses
nobody (65534) as an application name,
I believe for a remote log in.
   In the case of a laptop that has no apps
remotely logging in, there might be some
human log in scheme that permits remote
logging in as the user nobody and with the
highly restricted file and command access
that (should be) associated with that account.


On Jun 23, 2006, at 12:39 PM, Rick Moen wrote:

Quoting Bill Kendrick (nbs@sonic.net):


Yesterday, I was helping Melissa add a user account to her laptop.
I decided to just point her at KDE's "Kuser" (K->System->"User Manager")
GUI tool, mostly because I wanted to see it. ;) ("adduser" is not hard to
use, but I figured most non-Unix-types would go hunting a GUI tool,
so wanted to familiarize myself with it.)

One thing she noticed was the user "nobody", which sounded supsicious.
And it had quite an insane UID (65534), compared to other user accounts.
Her first thought was to Google for 'nobody 65534', and found many, many
posts where people had obviously dumped their /etc/passwd to a mailing list
for help with this-or-that. Based on this, she seemed happy enough to
know it's just some "thing" that Linux does/has.

For the life of me, I couldn't really explain _what_ "nobody" is used for.
I'm familiar with it in terms of NCSA httpd and Apache, but beyond that...
A little help, here? :^D
I note with appreciation Rod's separate explanation. Mine will probably
suffer some inaccuracies because it attempts to reconstruct ancient *ix
lore from faulty memory.

The "nobody" account is one that became a traditional feature long ago,
as a "sandbox" user-ID/username for running automated processes under
without elevated privilege and without special access to any specific
real user's files. It's typically set to have either a locked password
or no valid shell, so as to not be an entry point for attackers.

I _think_ that it's _maybe_ (I was going to say "probably", but then
thought better) largely superfluous (but harmless) at this point,
because it eventually dawned on Unix admins that two separate automated
processes could have a common-mode security failure or other form of
disasterous interaction, such that it's better to set up a _distinct_
username for each such process to run under -- which is why Apache
httpd now typically runs as user "httpd" or such, for example.

Now, I can't swear that something won't break on your system, either
today or later on, if you were hypothetically to remove or further
restrict the "nobody" user. Some scripts might be running as "nobody"
from time to time -- maybe cronjobs?

Flashback: Early in my use of Unixes, I decided one day to "tighten
system security", and eventually got around to setting the various
non-real usernames in /etc/passwd to have shell /bin/false instead of
/bin/sh, /tmp/[username] for their shells, and so on. Big mistake: A
whole lot of crucial system maintenance broke -- because those usernames
turned out to need a real shell to do their work, though they didn't
have to be valid for login.

_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech

_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.