[systemd-devel] Antw: [EXT] Re: Accpetance of Environment Variables in Attributes
Colin Guthrie
gmane at colin.guthr.ie
Fri Jun 26 13:03:26 UTC 2020
Ulrich Windl wrote on 26/06/2020 10:43:
>>>> Roman Odaisky <roma at qwertty.com> schrieb am 25.06.2020 um 14:35 in
> Nachricht
> <2175_1593088566_5EF49A35_2175_217_1_5367023.DvuYhMxLoT at xps>:
>>> [Service]
>>> User=nobody
>>
>> May I interject that DynamicUser=yes is generally superior to User=nobody.
>
> And I always thought the user is named nobody, because no process ever using
> it (as UID to run with)...
> Using it may have unwanted security implications.
Could be wrong, but I think it's more to do with running *multiple*
unrelated services as nobody. They could, in theory, mess with each
other in some cases (deleting each others temporary files, sockets etc).
So one dodgy/vulnerable "nobody" service could then interfere with a
more robust "nobody" service just because they are running as the same user.
Running as different users can avoid that vector.
Col
--
Colin Guthrie
gmane(at)colin.guthr.ie
http://colin.guthr.ie/
Day Job:
Tribalogic Limited http://www.tribalogic.net/
Open Source:
Mageia Contributor http://www.mageia.org/
PulseAudio Hacker http://www.pulseaudio.org/
Trac Hacker http://trac.edgewall.org/
More information about the systemd-devel
mailing list