Package: base-passwd Version: 3.5.11 Severity: minor Tags: patch jabberd doesn't actually run as "daemon". Instead it runs as "jabber:adm" (and I've filed a bug about the "adm" part).
www-data doesn't own my apache2 logfiles; the parent apache daemon is root for all [UG]ID, and the children are all www-data for all [UG]ID. --- - 2007-08-31 08:01:18.498416000 -0400 +++ /tmp/usersnd-groups.txt.gz.6649 2007-08-31 08:01:18.000000000 -0400 @@ -64,11 +64,11 @@ daemon Some unprivileged daemons that need to be able to write to some files on - disk run as daemon.daemon (portmap, atd, jabberd, lambdamoo, mon, and - others). Daemons that don't need to own any files sometimes run as - nobody.nogroup instead; it is generally better practice to use a dedicated - user, and more complex or security-conscious daemons certainly do this. The - daemon user is also handy for locally installed daemons, probably. + disk run as daemon.daemon (portmap, atd, lambdamoo, mon, and others). + Daemons that don't need to own any files sometimes run as nobody.nogroup + instead; it is generally better practice to use a dedicated user, and more + complex or security-conscious daemons certainly do this. The daemon user is + also handy for locally installed daemons, probably. LSB 1.3 lists daemon as legacy, and says: "The 'daemon' UID/GID was used as an unprivileged UID/GID for daemons to execute under in order to limit @@ -159,7 +159,7 @@ Some web servers run as www-data. Web content should not be owned by this user, or a compromised web server would be able to rewrite a web site. Data - written out by web servers, including log files, will be owned by www-data. + written out by web servers will be owned by www-data. backup
--- - 2007-08-31 08:01:18.498416000 -0400 +++ /tmp/usersnd-groups.txt.gz.6649 2007-08-31 08:01:18.000000000 -0400 @@ -64,11 +64,11 @@ daemon Some unprivileged daemons that need to be able to write to some files on - disk run as daemon.daemon (portmap, atd, jabberd, lambdamoo, mon, and - others). Daemons that don't need to own any files sometimes run as - nobody.nogroup instead; it is generally better practice to use a dedicated - user, and more complex or security-conscious daemons certainly do this. The - daemon user is also handy for locally installed daemons, probably. + disk run as daemon.daemon (portmap, atd, lambdamoo, mon, and others). + Daemons that don't need to own any files sometimes run as nobody.nogroup + instead; it is generally better practice to use a dedicated user, and more + complex or security-conscious daemons certainly do this. The daemon user is + also handy for locally installed daemons, probably. LSB 1.3 lists daemon as legacy, and says: "The 'daemon' UID/GID was used as an unprivileged UID/GID for daemons to execute under in order to limit @@ -159,7 +159,7 @@ Some web servers run as www-data. Web content should not be owned by this user, or a compromised web server would be able to rewrite a web site. Data - written out by web servers, including log files, will be owned by www-data. + written out by web servers will be owned by www-data. backup