On Thu, Aug 21, 2003 at 11:35:28AM -0500, Manoj Srivastava wrote: > * #80343: [PROPOSAL] policy should say no files should be owned by > > "nobody" > > Package: debian-policy; Severity: wishlist; Reported by: "KORN Andras" > > <[EMAIL PROTECTED]>; 2 years and 239 days old. > > Hmm. Do people think this is required? Are there any > files/directories owned by "nobody"? If so, why is that not already a > bug? Should policy state, in effect, "do not create bugs in your > package"?
mizar:[~] sudo find / -user nobody -ls |tee ~/temp/nobody 1917287 4 drwxr-xr-x 2 nobody nogroup 4096 Aug 16 23:05 /var/lib/ddt-client 1916940 0 prw------- 1 nobody nogroup 0 Aug 20 11:07 /var/lib/ddt-client/fifo.in 1916947 0 prw------- 1 nobody nogroup 0 Aug 20 11:07 /var/lib/ddt-client/fifo.out 180836 4 -rw-rw-rw- 1 nobody games 308 Jul 13 2001 /var/lib/games/crossfire/temp.maps 1540811 4 -rw-rw-rw- 1 nobody games 1130 Jul 13 2001 /var/log/crossfire/logfile 442784 4 drwxr-xr-x 2 nobody nogroup 4096 Aug 16 23:05 /var/run/ddt 442934 4 -rw-r--r-- 1 nobody nogroup 4 Aug 16 23:05 /var/run/ddt/ddtcd.pid The proposal also says the same thing about other users, like "daemon" and "www-data", which are misused even more often than nobody. It is far better for each service to run under a different uid, in order to contain the breach in the event of a compromise. But if "nobody" really doesn't make sense at all (and an argument could be made), shouldn't we rather remove or deprecate it entirely rather than restricting only its ownership of files? > * #82310: Provides: java-servlet-engine > > Package: debian-policy; Severity: wishlist; Reported by: > > [EMAIL PROTECTED] (Thom May); 2 years and 216 days old. > > This seems to have stalled for over two years. What is the > status of this proposal? Is a java-servlet-engine virtual package > feasible? Once free Java implementations are up to the task, this would be useful. We already have a shared webapp directory (/usr/share/java/webapps) where java applications can install themselves. If they could also depend on a virtual package provided by all servlet engines, java web applications could be packaged very nicely. Of course, as far as I know, none of the Java implementations in Debian can run a servlet engine at this point. -- - mdz
