On Sat, 22 May 1999, Bob Hilliard wrote: >For security reasons, it is frequently recommended that daemons >that do not require root privileges be run as `noboby' or as >`daemon'. Since root privileges are required to write to /var/run, >such daemons can not write a standard pidfile. > > One obvious solution is to hack the source so it can be started >as root, then, after writing the pidfile and doing any other chores >that require root permissions, drop those permissions and become >'nobody'. This makes it necessary to leave the stale pidfile on >termination, or re-assume the root privileges, which may be a small >security hole. This solution, of course, requires that the maintainer >possess the necessary skills to hack the source, which is beyond the >capabilities of many maintainers. > > For those daemons whose Makefile provides for setting the `pid' >variable, I propose that Makefile.in be modified to define >`hid=/var/run/daemon/<packagename>.pid. The postinst would create the >sudirectory `/var/run/daemon', if it doesn't exist, with 1755 >permissions and owned by 'daemon'. This would allow any process >running as `daemon' to write a pidfile to this directory.
I've already suggested on debian-devel that we change /var/run to be group daemon and mode 1775, then every daemon can have it's own UID (so a compromised daemon can't easily corrupt other daemons). Some discussion ensued, but no positive results. -- I am in London and would like to meet any Linux users here. I plan to work in London until April and then move to another place where the pay is good.
