Hi Brian May schrieb: > >>>>> "Hamish" == Hamish Moffatt <[EMAIL PROTECTED]> writes: > > Hamish> On Tue, Dec 26, 2000 at 11:13:13AM +1100, Brian May wrote: > >> However, the idea of one UID per daemon is (IMHO) a really > >> horrible solution, too, as you end up having more UIDs for > >> daemons then users. > > Hamish> Why is that a problem? There are 65536 available UIDs. > Some potential problems though: > > - easy to hide back-door entry point in /etc/passwd if lots of entries > exist (eg. missing password field). Whether this is by mistake > or done on purpose by an attacker is not important, but the fact it > is harder to detect may be important.
Regular /etc/passwd checking is done by a pretty rigid scripts usually. It really does not matter how many entries there are in /etc/passwd. Checking it "by hand" seems pointless to me. > - As the number of entries grows, the chance that one/more entries > will conflict with some NIS, openldap or remote NFS system increases. > Especially since adduser, etc, do not support NIS or openldap. I am > not sure of the details here - can adduser assign a local user a UID > that conflicts with that from some other source? Then we should fix adduser and libc(PAM/NSS). I tried to get the normal 'passwd' to change passwords on nis (well, passwdd; pam_unix seems to be able to do this) but couldn't get it to work (I hadn't that much time for it though). > - harder to administrate /etc/passwd as more users exist. Something that seems improtant to me: providing a way to use less users/groups on some systems should be easy once every daemon can have it's own (adduser creating system accounts with same UID/GID comes to mind). The other way round it's harder. ciao, 2ri