Ulrich Windl wrote on 26/06/2020 10:43: >>>> Roman Odaisky <r...@qwertty.com> schrieb am 25.06.2020 um 14:35 in > Nachricht > <2175_1593088566_5EF49A35_2175_217_1_5367023.DvuYhMxLoT@xps>: >>> [Service] >>> User=nobody >> >> May I interject that DynamicUser=yes is generally superior to User=nobody. > > And I always thought the user is named nobody, because no process ever using > it (as UID to run with)... > Using it may have unwanted security implications.
Could be wrong, but I think it's more to do with running *multiple* unrelated services as nobody. They could, in theory, mess with each other in some cases (deleting each others temporary files, sockets etc). So one dodgy/vulnerable "nobody" service could then interfere with a more robust "nobody" service just because they are running as the same user. Running as different users can avoid that vector. Col -- Colin Guthrie gmane(at)colin.guthr.ie http://colin.guthr.ie/ Day Job: Tribalogic Limited http://www.tribalogic.net/ Open Source: Mageia Contributor http://www.mageia.org/ PulseAudio Hacker http://www.pulseaudio.org/ Trac Hacker http://trac.edgewall.org/ _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
