Garrett D'Amore wrote:
> Darren J Moffat wrote:
>> Gary Winiger wrote:
>>>> Why can't it run as uid and gid daemon ?
>>>
>>> Or better yet, noaccess?
>>
>> No not better at all IMO, as user accounts one is no better than the
>> other. However is more current use of daemon than noaccess (kcfd,
>> rpcbind, nfsd, statd, lockd, for starters) in Solaris services. Also
>> daemons running as daemon looks reasonable, "noaccess" looks strange
>> (to me anyway).
>>
> Comparing noaccess and daemon, I agree that there is little difference
> between the two. (ISTR however that NFS had some special handling
> around noaccess, or maybe that is nobody. I never did anything that
> relied on the special semantics, in any case.)
If you're going to run a daemon with a non-root uid, and you're not
going to create a new uid, you should use daemon. That's exactly the
reason this user account exists.
The nobody account is, indeed, the uid to which NFS maps remote access
by uid 0. No process should run with that uid.
Similarly, noaccess is not appropriate as a process uid unless you are
certain that the process will not create files. Nothing in the file
system should be owned by user noaccess. On the other hand, there are
some files and directories owned by daemon.
Scott
