Edmund R. MacKenty wrote:
On Tuesday 03 November 2009 11:16, Jack Woehr wrote:
Edmund R. MacKenty wrote:
. I don't think the UID/GID can be re-used, as
your vendor controls their assignments for system accounts and useradd(8)
will not assign UID/GID values below 500
That number-below-which is controlled by the contents of /etc/login.defs
I believe, which is an editable text file, not a hard limit.
Correct. But in order for the scenario you described to occur, one of the
following must happen:
1) A superuser edits /etc/login.defs and sets SYSTEM_USER_MIN to zero or some
other very low value, or
2) A superuser runs "useradd -r -u 40 cracker" and gives that account to a
plain user.
I don't know what sparked that comment, but in case you think system
accounts have special privileges, they do not, except for
UID=0.Essentially, system accounts are not user accounts, and new
accounts are user accounts by default.
The system can be configured to give special access to specific
resources through use of UIDs and GIDs- members of the dialout group on
a system I maintain can use serial ports because they're owned by group
dialout and the group permissions allow that,but that applies equally
whether a process is a daemon process with a system account, or some
user. Similarly, sudo can be configured to give some accounts or groups
special privilege (typically, the ability to run stuff as root), but
again, its behaviour is the same whether the process using it's a system
daemon or an ordinary user. In fact, I use it to allow Apache to modify
firewall rules, and I use it to allow administrator users to do their stuff.
--
Cheers
John
-- spambait
[email protected] [email protected]
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390