David Roundy wrote: > On Fri, Nov 22, 2002 at 11:04:27AM -0800, Blars Blarson wrote: > > > > but is it realy appropriate for a package to create a new user for a > > weekly download?
depending upon what other processes will be using the data, and those that will be starting them, the answer varies from ``maybe'' to ``yes!'' > I'm far from an expert, but I would have thought that 'nobody' would be > appropriate for this. _no_. you never want a file owned by nobody. services that do not need any elevated privedges should run as nobody, so if they are compromised, then can do nothing. if you download a file as nobody, then a compromised nobudy-running daemon can then trojan that file. bad. > As long as you don't trust the content of those files, this seems safe > to me. there are other reasons to not trust the file, other than the ownership (dns cache poisoning, dns takeover, trojans on the server), so we can accept this as a truism. -john -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]