Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
(Nearly) full tickless operation in 3.10
Don't run X as "nobody" -- that's reserved to be the owner of
NFS-available files where they're owned by root on the NFS server.
X should run as its own user, e.g. "xserver".
Posted Feb 11, 2008 23:39 UTC (Mon) by bronson (subscriber, #4806)
"nobody" has come to mean the generic unprivileged user. Lots of distros run server software
as nobody these days.
If NFS really wants to make this distinction, why don't they call their user "nfs-not-root" or
"squashed-root" or something a little less generic?
Posted Feb 12, 2008 1:21 UTC (Tue) by nix (subscriber, #2304)
Because NFS was the first thing to need such a user, so it's become
(Isn't `daemon' the ID you run otherwise-low-privilege daemons as,
Posted Feb 13, 2008 20:43 UTC (Wed) by cortana (subscriber, #24596)
It's the UID you run a daemon as when you want it to have privileges to interfere with other
daemons running as 'daemon'. :)
Seriously... adduser --system is not hard! Give everything its own user!
Posted Feb 14, 2008 12:49 UTC (Thu) by nix (subscriber, #2304)
But what if I had over 64K daemons running?
... oh, 32-bit uids. What if I had over four billion daemons running?
(seriously, with KDE it's only a matter of time! I suppose those all run as the KDE desktop
Posted Feb 14, 2008 18:58 UTC (Thu) by quotemstr (subscriber, #45331)
That's the problem. If everyone uses the same generic "unprivileged" user, that user actually
becomes quite powerful. Better would be to separate out users for each application.
Posted Feb 22, 2008 8:34 UTC (Fri) by goaty (guest, #17783)
The practice of running all daemons as "nobody" was a historical mistake. This has been
corrected in Debian and (I hope) most other Linux distributions. Each daemon runs as a
separate user, which prevents both accidental and malicious interference with other daemons.
The extreme example is qmail, which has four user accounts and no license.
I think "run as nobody" has become a shorthand for "run as an unprivileged user instead of
root", and that is how the article was using it. I think the LWN guys are clueful enough that
they wouldn't suggest we literally run the X server as the "nobody" user.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds