On Mon, 05 Dec 2005 10:11:13 +0000 Dave wrote: DS> On Sun, 2005-12-04 at 08:32 -0500, Robert Story wrote: DS> > I think the original idea for changing user/group was DS> > to have reduced privileges while running. The primary advantage probably DS> > being that scripts and such wouldn't run as root. It's still reasonable DS> > to expect that the agent's configuration files would be owned by root, DS> > and not the non-privileged user. DS> DS> I'm not sure I'd fully agree with that. DS> If something is running as a non-root user, my basic DS> assumption is that any files created by that process DS> would be owned by that user - not by root. DS> DS> That certainly seems to hold for Apache, where logs files etc DS> are created as the running user, rather than root.
Log files are one thing. Configuration is another. DS> My main concern would be dropping root ownership too early, DS> so that (e.g.) opening privileged ports would fail. My main concern is that configuration files that are owned/writable by a non root-user degrades the security of the system by effectively giving everyone with write access to the files root access. A much better solution would be to set up sudo to allow this group to run limited commands to modify the configuration files as needed. I think Wes, security conscious as he is, will agree with me here. If not, I'll happily concede the point. -- Robert Story; NET-SNMP Junkie Support: <http://www.net-snmp.org/> <irc://irc.freenode.net/#net-snmp> Archive: <http://sourceforge.net/mailarchive/forum.php?forum=net-snmp-coders> You are lost in a twisty maze of little standards, all different. ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Net-snmp-coders mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
