[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] condor_ssh_to_job

Dimitri Maziuk wrote:
> It's worse: there are distributions keeping their users safe from Evil
> Hackers. On RHEL not only nobody's shell is /sbin/nologin, its uid is 99
> & pam won't allow logins for uid < 500.

Nobody is traditionally the largest UID on the system. It is the
least-privileged UID on the system: it owns no files, belongs to no
groups other than nogroup, has no usable shell, and cannot be used to
log in. Similarly, nogroup is traditionally the largest GID on the
system. Like nobody, the nogroup GID is the least-privileged group on
the system. The names and numbers are entirely arbitrary. Solaris, for
example, uses 60001 for Nobody, 60002 for the No Access User, and 65534
for the SunOS 4.x nobody. None have shells.

The non-interactive, sub-500 UIDs is less a security thing and more an
administrative thing. It keeps the non-shell system accounts organized.
What is more a security thing is giving each daemon it's own unique UID
and GID instead of running everything as nobody:nogroup. This prevents
one compromised daemon from being able to access a different daemon's
files and memory space. An arbitrary range of UIDs and GIDs makes this
easier to manage.

Rich Pieri <ratinox@xxxxxxx>
MIT Laboratory for Nuclear Science