[Adduser-devel] Bug#290623: adduser should never use "nogroup" as a user's group

[Joerg Hoh]

On Samstag 15 Januar 2005, you wrote:
> Package: adduser
> Version: 3.59
> Severity: normal
>
> adduser should never use "nogroup" as the group for a user by default.
> The reason nobody and nogroup exists is so that processes can be sure of
> having no special access to the file system.  For this to work there
> musn't be anything in the file system with uid/gid set to either.
> With system users in nogroup it's easy for files to be created with
> nogroup as their group, and though they usually won't be group writable,
> it's asking for trouble, with no benefit.

In my opinion any package who wants to use an unprivileged user ("nouser") or 
group ("nogroup") should create a separate user for that usage (see the 
www-data user for httpd). In any other way there maybe conflicts/security 
implications when 2 processes are there with with privileges dropped and now 
using "nouser:nogroup".

Joerg

-- 
What did you do to the cat? It looks half-dead. -Schroedinger's wife
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20070624/cc4a7fea/attachment.pgp