On 2016-12-21 22:56:06, Dmitry Bogatov wrote: > [2016-12-20 22:10] Russ Allbery <r...@debian.org> >> Hm, transient IDs is an interesting idea. In a lot of cases, we create a >> system user just to isolate the running daemon, not to control file system >> access. The drawback, though, is that one has to have a really clear idea >> of what resources the process would need in order to make sure this is >> safe. (A much clearer idea than the understanding we need to know when >> it's safe to delete a system user, I think.) > > You just gave me good idea. What about not removing $HOME, but chowning > it to root? I mean, on install we create user and if its $HOME already > exists, just chown it.
You would need to check for suid binaries, among other traps. a. -- Arguing for surveillance because you have nothing to hide is no different than making the claim, "I don't care about freedom of speech because I have nothing to say." - Edward Snowden