Package: base-passwd
Version: 3.5.11
Severity: minor
Tags: patch
jabberd doesn't actually run as "daemon". Instead it runs as
"jabber:adm" (and I've filed a bug about the "adm" part).
www-data doesn't own my apache2 logfiles; the parent apache daemon is
root for all [UG]ID, and the children are all www-data for all [UG]ID.
--- - 2007-08-31 08:01:18.498416000 -0400
+++ /tmp/usersnd-groups.txt.gz.6649 2007-08-31 08:01:18.000000000 -0400
@@ -64,11 +64,11 @@
daemon
Some unprivileged daemons that need to be able to write to some files on
- disk run as daemon.daemon (portmap, atd, jabberd, lambdamoo, mon, and
- others). Daemons that don't need to own any files sometimes run as
- nobody.nogroup instead; it is generally better practice to use a dedicated
- user, and more complex or security-conscious daemons certainly do this. The
- daemon user is also handy for locally installed daemons, probably.
+ disk run as daemon.daemon (portmap, atd, lambdamoo, mon, and others).
+ Daemons that don't need to own any files sometimes run as nobody.nogroup
+ instead; it is generally better practice to use a dedicated user, and more
+ complex or security-conscious daemons certainly do this. The daemon user is
+ also handy for locally installed daemons, probably.
LSB 1.3 lists daemon as legacy, and says: "The 'daemon' UID/GID was used as
an unprivileged UID/GID for daemons to execute under in order to limit
@@ -159,7 +159,7 @@
Some web servers run as www-data. Web content should not be owned by this
user, or a compromised web server would be able to rewrite a web site. Data
- written out by web servers, including log files, will be owned by www-data.
+ written out by web servers will be owned by www-data.
backup
--- - 2007-08-31 08:01:18.498416000 -0400
+++ /tmp/usersnd-groups.txt.gz.6649 2007-08-31 08:01:18.000000000 -0400
@@ -64,11 +64,11 @@
daemon
Some unprivileged daemons that need to be able to write to some files on
- disk run as daemon.daemon (portmap, atd, jabberd, lambdamoo, mon, and
- others). Daemons that don't need to own any files sometimes run as
- nobody.nogroup instead; it is generally better practice to use a dedicated
- user, and more complex or security-conscious daemons certainly do this. The
- daemon user is also handy for locally installed daemons, probably.
+ disk run as daemon.daemon (portmap, atd, lambdamoo, mon, and others).
+ Daemons that don't need to own any files sometimes run as nobody.nogroup
+ instead; it is generally better practice to use a dedicated user, and more
+ complex or security-conscious daemons certainly do this. The daemon user is
+ also handy for locally installed daemons, probably.
LSB 1.3 lists daemon as legacy, and says: "The 'daemon' UID/GID was used as
an unprivileged UID/GID for daemons to execute under in order to limit
@@ -159,7 +159,7 @@
Some web servers run as www-data. Web content should not be owned by this
user, or a compromised web server would be able to rewrite a web site. Data
- written out by web servers, including log files, will be owned by www-data.
+ written out by web servers will be owned by www-data.
backup
