Re: question on what is 'nobody'
-Original Message- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of CHAPLIN, JAMES (CTR) Sent: Wednesday, November 07, 2007 2:28 PM To: LINUX-390@VM.MARIST.EDU Subject: question on what is 'nobody' In the /etc/passwd group is a uid/gid of nobody. Why is nobody there and what does he do? Also in his (and others) shadow file he has * as his encrypted password, does this have special value? nobody:*:13725:0:9:7::: New to linux, inquisitive mind ;-) James Chaplin That is a type of null user that many daemons use in order to reduce their authorities to nothing. This helps enhance security by running the majority of the daemon code in a mode in which they cannot affect any other processes or files. The actual UID and GID are not relevant, other than the UID needs to be unique, and non-zero. The GID likewise needs to be unique. And there should not, generally, be any files or subdirectories owned by the UID or GID. -- John McKown Senior Systems Programmer HealthMarkets Keeping the Promise of Affordable Coverage Administrative Services Group Information Technology The information contained in this e-mail message may be privileged and/or confidential. It is for intended addressee(s) only. If you are not the intended recipient, you are hereby notified that any disclosure, reproduction, distribution or other use of this communication is strictly prohibited and could, in certain circumstances, be a criminal offense. If you have received this e-mail in error, please notify the sender by reply and delete this message without copying or disclosing it. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
question on what is 'nobody'
In the /etc/passwd group is a uid/gid of nobody. Why is nobody there and what does he do? Also in his (and others) shadow file he has * as his encrypted password, does this have special value? nobody:*:13725:0:9:7::: New to linux, inquisitive mind ;-) James Chaplin Systems Programmer, MVS zLinux (703) 921-6220 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: question on what is 'nobody'
In the /etc/passwd group is a uid/gid of nobody. Why is nobody there and what does he do? User nobody was created in the early days of NFS when you had to deal with remote RPC that may not be coming from an authenticated user on the NFS server, and thus do not have a valid uid, or for any other reason you need to map a request to a known unprivileged user. That entry lets you specify what the uid for that known unprivileged user should be. The original NFS server (in the SunOS 2.x days) would happily believe any uid it was handed with very weak (if any) authentication, which would allow anyone claiming uid 0 remotely to edit any file on your system as root. This was clearly a Bad Thing. Somewhere around SunOS 3.x, the NFS server was changed so that unless you specified a particular option (nosquash), any RPC claiming uid 0 from a remote or unauthenticated source is mapped to user 'nobody', which has no privileges, can't log in, and owns nothing in the default system setup -- so theoretically it closes a major security hole. It exists in Linux to allow the NFS code to avoid major changes. Leave it alone. You'll want it in case someone accidentally installs NFS where it doesn't belong. Also in his (and others) shadow file he has * as his encrypted password, does this have special value? nobody:*:13725:0:9:7::: Indicates that this userid can't log on. The crypto libraries are guaranteed never to produce a encrypted string equal to '*' or '!', so any user with those strings as their encrypted password string cannot possibly authenticate successfully, so they cannot log on. If NIS or NIS+ is active, a '*' in the password position in the userent indicates that the login program should consult NIS for password string information. If NIS is not working, then the * entry prevents any user not explicitly listed in /etc/passwd from logging in until you get NIS working again...8-) -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: question on what is 'nobody'
On Wed, Nov 7, 2007 at 3:28 PM, in message [EMAIL PROTECTED], CHAPLIN, JAMES (CTR) [EMAIL PROTECTED] wrote: -snip- Also in his (and others) shadow file he has * as his encrypted password, does this have special value? nobody:*:13725:0:9:7::: Yes. It's a value that the hashing/encryption algorithms will never produce for a real password, so the nobody account will never be able to login to the system. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: question on what is 'nobody'
CHAPLIN, JAMES (CTR) wrote: In the /etc/passwd group is a uid/gid of nobody. Why is nobody there and what does he do? Also in his (and others) shadow file he has * as his encrypted password, does this have special value? nobody:*:13725:0:9:7::: New to linux, inquisitive mind ;-) James Chaplin Systems Programmer, MVS zLinux (703) 921-6220 nobody is there so when someone asks Who does this belong to? you can say nobody! Seriously, it is there to provide a placeholder, since everything needs to be connected to some ID. It is often used for FTP for anonymous access, or Apache or anywhere you need an ID and have no one to attach to it. From the shadow man page (on Ubuntu): If the password field contains some string that is not valid result of crypt(3), for instance ! or *, the user will not be able to use a UNIX password to log in, subject to pam(7). This makes nobody perfect to use to give as an owner of something and don't want it able to log on, and yet can be the owner of files, et. al. Kim -- Kim Goldenberg Systems Programmer I State of NJ - OIT 609-777-3722 [EMAIL PROTECTED] [EMAIL PROTECTED] -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 begin:vcard fn:Kim Goldenberg n:Goldenberg;Kim org:State of New Jersey;Office of Information Technology (OIT) adr:200 Riverview Plaza;;PO Box 212;Trenton;NJ;08625-0212;USA email;internet:[EMAIL PROTECTED] title:Systems Programmer I tel;work:609-777-3722 tel;fax:609-777-3939 x-mozilla-html:FALSE url:http://www.state.nj.us version:2.1 end:vcard