Control: Severity -1 wishlist On Sun, Sep 02, 2007 at 05:27:29PM +0200, Joerg Hoh wrote: > On Sun, Jun 24, 2007 at 11:56:31AM +0200, Joerg Hoh wrote: > > > > In my opinion any package who wants to use an unprivileged user ("nouser") > > or > > group ("nogroup") should create a separate user for that usage (see the > > www-data user for httpd). In any other way there maybe conflicts/security > > implications when 2 processes are there with with privileges dropped and > > now > > using "nouser:nogroup". > > I'll tag it as wontfix.
I think that in absence of advice from Policy, base-passwd sets the way to go for this. And this is (/usr/share/doc/base-passwd/users-and-groups.txt.gz): nobody, nogroup Daemons that need not own any files sometimes run as user nobody and group nogroup, although using a dedicated user is far preferable. Thus, no files on a system should be owned by this user or group. Since adduser is not in the situation to tell a package maintainer what to do, nogroup is still the valid default that saves GID resources instead of changing the default to "usergroups" for system users. This was "discussed" on debian-devel in July 2022, https://lists.debian.org/debian-devel/2022/07/msg00027.html, with not much interest from the developer community. I'd take that as consent of the project that the current default is fine and that we should not change it just for the sake of changing it. I'm open to more and new arguments and I would also accept advice from the Technical Committee in this matter, but for the time being this is going to stay at wontfix. Greetings Marc