On 6/12/19 4:06 PM, Bruce Dubbs via blfs-dev wrote:
On 6/12/19 1:56 PM, Thomas Trepl via blfs-dev wrote:
Am Mittwoch, den 12.06.2019, 11:01 -0500 schrieb Douglas R. Reno via
blfs-dev:
Hi folks,
I was just building rpcbind-1.2.5 and noticed a curious difference
between SysV and systemd's instructions.
On systemd, we create a separate "rpc" user to isolate the package
similar to how we would any other system daemon:
"There should be a dedicated user and group to take control of the
rpcbind daemon after it is started. Issue the following commands as
the root user:
groupadd -g 28 rpc
useradd -c "RPC Bind Daemon Owner" -d /dev/null -g rpc \
-s /bin/false -u 28 rpc
On SysV, we tell the rpcbind daemon to use the root user in the
configure command: "--with-rpcuser=root". On systemd, we tell it to
use "--with-rpcuser=rpc".
Should we setup a dedicated user and group for the rpcbind daemon in
SysV like we do for systemd?
From security perspective a dedicated user might be the better choice
than root. Looks like that root isn't required to be the user running
rpcbind.
I'd vote for user rpc.
We could do that, but I don't think that it is necessary without some
specific rationale. Do we create a specific user for every daemon?
What about syslogd, klogd, acpid, haveged, sshd, gpm ... ? Those are
all run as root on my very limited system in it's current state of
build. On a more complete system, add upowerd, cupsd, postfix/master,
and fcron.
-- Bruce
For a majority of daemons that interface with the network, such as SSHD,
apache, bind, dovecot, sendmail, etc. we create separate users. I think
that since rpcbind interfaces with the network, we should create a
separate user for it.
I would give a revision number with context, but I can't find one for
the implementation in systemd. It might have been implemented during the
short period of time that it was in Git before I took over, and I do not
think the repository is around anymore for me to look. That would be 4
years ago though.
--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
