* Felix Palmen <zir...@freebsd.org> [20230508 18:39]: > I tend to think now that 'daemon' should really be the way to go when > you don't need a dedicated account. Am I overlooking something? Any > other comments?
Seems I overlooked something indeed:
#v+
$ find [14-jail] \( -user daemon -or -group daemon \)
[14-jail]/usr/sbin/lpc
[14-jail]/usr/bin/lprm
[14-jail]/usr/bin/lpr
[14-jail]/usr/bin/lpq
[14-jail]/var/rwho
[14-jail]/var/spool/mqueue
[14-jail]/var/spool/lpd
[14-jail]/var/spool/output
[14-jail]/var/spool/output/lpd
[14-jail]/var/spool/opielocks
[14-jail]/var/at/jobs
[14-jail]/var/at/spool
[14-jail]/var/msgs
#v-
So, daemon owns e.g. the print spool...
Interestingly, ou even find something owned by nobody in base:
#v+
-rw-r--r-- 1 nobody wheel 0 Jul 8 2021 /var/db/locate.database
#v-
So, takeaway is: There is no safe choice other than allocating a
dedicated UID for every single daemon, even if it doesn't need to
own/access any files? Is this really correct?
Cheers, Felix
--
Felix Palmen <zir...@freebsd.org> {private} fe...@palmen-it.de
-- ports committer (mentee) -- {web} http://palmen-it.de
{pgp public key} http://palmen-it.de/pub.txt
{pgp fingerprint} 6936 13D5 5BBF 4837 B212 3ACC 54AD E006 9879 F231
signature.asc
Description: PGP signature
