Re: [vox-tech] Purpose of "nobody" user?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [vox-tech] Purpose of "nobody" user?
the "insane" UID (65534) is -2, where 0 can
be thought of as 00000 and -1 is one less,
which in CPU registers is all 1 values, i.e.
65535 and -2 is one less than -1, i.e.
65535 - 1 = 65534
I forget the user name for -1 and here the
nobody user name has -2 for a UID (that's
what 65534 is in 16-bit land).
There's one big shop I know of that uses
nobody (65534) as an application name,
I believe for a remote log in.
In the case of a laptop that has no apps
remotely logging in, there might be some
human log in scheme that permits remote
logging in as the user nobody and with the
highly restricted file and command access
that (should be) associated with that account.
On Jun 23, 2006, at 12:39 PM, Rick Moen wrote:
Quoting Bill Kendrick (nbs@sonic.net):
Yesterday, I was helping Melissa add a user account to her laptop.
I decided to just point her at KDE's "Kuser" (K->System->"User
Manager")
GUI tool, mostly because I wanted to see it. ;) ("adduser" is not
hard to
use, but I figured most non-Unix-types would go hunting a GUI tool,
so wanted to familiarize myself with it.)
One thing she noticed was the user "nobody", which sounded supsicious.
And it had quite an insane UID (65534), compared to other user
accounts.
Her first thought was to Google for 'nobody 65534', and found many,
many
posts where people had obviously dumped their /etc/passwd to a
mailing list
for help with this-or-that. Based on this, she seemed happy enough to
know it's just some "thing" that Linux does/has.
For the life of me, I couldn't really explain _what_ "nobody" is used
for.
I'm familiar with it in terms of NCSA httpd and Apache, but beyond
that...
A little help, here? :^D
I note with appreciation Rod's separate explanation. Mine will
probably
suffer some inaccuracies because it attempts to reconstruct ancient *ix
lore from faulty memory.
The "nobody" account is one that became a traditional feature long ago,
as a "sandbox" user-ID/username for running automated processes under
without elevated privilege and without special access to any specific
real user's files. It's typically set to have either a locked password
or no valid shell, so as to not be an entry point for attackers.
I _think_ that it's _maybe_ (I was going to say "probably", but then
thought better) largely superfluous (but harmless) at this point,
because it eventually dawned on Unix admins that two separate automated
processes could have a common-mode security failure or other form of
disasterous interaction, such that it's better to set up a _distinct_
username for each such process to run under -- which is why Apache
httpd now typically runs as user "httpd" or such, for example.
Now, I can't swear that something won't break on your system, either
today or later on, if you were hypothetically to remove or further
restrict the "nobody" user. Some scripts might be running as "nobody"
from time to time -- maybe cronjobs?
Flashback: Early in my use of Unixes, I decided one day to "tighten
system security", and eventually got around to setting the various
non-real usernames in /etc/passwd to have shell /bin/false instead of
/bin/sh, /tmp/[username] for their shells, and so on. Big mistake: A
whole lot of crucial system maintenance broke -- because those
usernames
turned out to need a real shell to do their work, though they didn't
have to be valid for login.
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech
|
