[vox-tech] Purpose of "nobody" user?
jim stockford
jim at well.com
Fri Jun 23 12:50:34 PDT 2006
the "insane" UID (65534) is -2, where 0 can
be thought of as 00000 and -1 is one less,
which in CPU registers is all 1 values, i.e.
65535 and -2 is one less than -1, i.e.
65535 - 1 = 65534
I forget the user name for -1 and here the
nobody user name has -2 for a UID (that's
what 65534 is in 16-bit land).
There's one big shop I know of that uses
nobody (65534) as an application name,
I believe for a remote log in.
In the case of a laptop that has no apps
remotely logging in, there might be some
human log in scheme that permits remote
logging in as the user nobody and with the
highly restricted file and command access
that (should be) associated with that account.
On Jun 23, 2006, at 12:39 PM, Rick Moen wrote:
> Quoting Bill Kendrick (nbs at sonic.net):
>
>>
>> Yesterday, I was helping Melissa add a user account to her laptop.
>> I decided to just point her at KDE's "Kuser" (K->System->"User
>> Manager")
>> GUI tool, mostly because I wanted to see it. ;) ("adduser" is not
>> hard to
>> use, but I figured most non-Unix-types would go hunting a GUI tool,
>> so wanted to familiarize myself with it.)
>>
>> One thing she noticed was the user "nobody", which sounded supsicious.
>> And it had quite an insane UID (65534), compared to other user
>> accounts.
>> Her first thought was to Google for 'nobody 65534', and found many,
>> many
>> posts where people had obviously dumped their /etc/passwd to a
>> mailing list
>> for help with this-or-that. Based on this, she seemed happy enough to
>> know it's just some "thing" that Linux does/has.
>>
>> For the life of me, I couldn't really explain _what_ "nobody" is used
>> for.
>> I'm familiar with it in terms of NCSA httpd and Apache, but beyond
>> that...
>> A little help, here? :^D
>
> I note with appreciation Rod's separate explanation. Mine will
> probably
> suffer some inaccuracies because it attempts to reconstruct ancient *ix
> lore from faulty memory.
>
> The "nobody" account is one that became a traditional feature long ago,
> as a "sandbox" user-ID/username for running automated processes under
> without elevated privilege and without special access to any specific
> real user's files. It's typically set to have either a locked password
> or no valid shell, so as to not be an entry point for attackers.
>
> I _think_ that it's _maybe_ (I was going to say "probably", but then
> thought better) largely superfluous (but harmless) at this point,
> because it eventually dawned on Unix admins that two separate automated
> processes could have a common-mode security failure or other form of
> disasterous interaction, such that it's better to set up a _distinct_
> username for each such process to run under -- which is why Apache
> httpd now typically runs as user "httpd" or such, for example.
>
> Now, I can't swear that something won't break on your system, either
> today or later on, if you were hypothetically to remove or further
> restrict the "nobody" user. Some scripts might be running as "nobody"
> from time to time -- maybe cronjobs?
>
> Flashback: Early in my use of Unixes, I decided one day to "tighten
> system security", and eventually got around to setting the various
> non-real usernames in /etc/passwd to have shell /bin/false instead of
> /bin/sh, /tmp/[username] for their shells, and so on. Big mistake: A
> whole lot of crucial system maintenance broke -- because those
> usernames
> turned out to need a real shell to do their work, though they didn't
> have to be valid for login.
>
> _______________________________________________
> vox-tech mailing list
> vox-tech at lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
>
More information about the vox-tech
mailing list