LWN.net Logo

Advertisement

TrustCommerce

E-Commerce & credit card processing - the Open Source way!

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LK2008: The values of the Linux community

LWN.net Weekly Edition for October 9, 2008

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

"nobody"

"nobody"

Posted Feb 11, 2008 22:31 UTC (Mon) by rfunk (subscriber, #4054)
Parent article: LCA: Two talks on the state of X 

Don't run X as "nobody" -- that's reserved to be the owner of 
NFS-available files where they're owned by root on the NFS server.

X should run as its own user, e.g. "xserver".

(Log in to post comments)

"nobody"

Posted Feb 11, 2008 23:39 UTC (Mon) by bronson (subscriber, #4806) [Link] 

"nobody" has come to mean the generic unprivileged user.  Lots of distros run server software
as nobody these days.

If NFS really wants to make this distinction, why don't they call their user "nfs-not-root" or
"squashed-root" or something a little less generic?

"nobody"

Posted Feb 12, 2008 1:21 UTC (Tue) by nix (subscriber, #2304) [Link] 

Because NFS was the first thing to need such a user, so it's become 
traditional?

(Isn't `daemon' the ID you run otherwise-low-privilege daemons as, 
anyway?)

"nobody"

Posted Feb 13, 2008 20:43 UTC (Wed) by cortana (subscriber, #24596) [Link] 

It's the UID you run a daemon as when you want it to have privileges to interfere with other
daemons running as 'daemon'. :)

Seriously... adduser --system is not hard! Give everything its own user!

"nobody"

Posted Feb 14, 2008 12:49 UTC (Thu) by nix (subscriber, #2304) [Link] 

But what if I had over 64K daemons running?

... oh, 32-bit uids. What if I had over four billion daemons running?

(seriously, with KDE it's only a matter of time! I suppose those all run as the KDE desktop
user though.)

;}

"nobody"

Posted Feb 14, 2008 18:58 UTC (Thu) by quotemstr (subscriber, #45331) [Link] 

That's the problem. If everyone uses the same generic "unprivileged" user, that user actually
becomes quite powerful. Better would be to separate out users for each application.

"nobody"

Posted Feb 22, 2008 8:34 UTC (Fri) by goaty (guest, #17783) [Link] 

The practice of running all daemons as "nobody" was a historical mistake. This has been
corrected in Debian and (I hope) most other Linux distributions. Each daemon runs as a
separate user, which prevents both accidental and malicious interference with other daemons.

The extreme example is qmail, which has four user accounts and no license.

I think "run as nobody" has become a shorthand for "run as an unprivileged user instead of
root", and that is how the article was using it. I think the LWN guys are clueful enough that
they wouldn't suggest we literally run the X server as the "nobody" user.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds