Re: [PR REVIEW] spiped: add unprivileged system account

Github messages for voidlinux
 help / color / mirror / Atom feed

From: ailiop-git <ailiop-git@users.noreply.github.com>
To: ml@inbox.vuxu.org
Subject: Re: [PR REVIEW] spiped: add unprivileged system account
Date: Wed, 09 Jun 2021 12:03:35 +0200	[thread overview]
Message-ID: <20210609100335.IZZV2pxjZikQ8BqHjp3n9UM80yE-NL48uyf4vBWW9m4@z> (raw)
In-Reply-To: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-31332@inbox.vuxu.org>

[-- Attachment #1: Type: text/plain, Size: 947 bytes --]

New review comment by ailiop-git on void-packages repository

https://github.com/void-linux/void-packages/pull/31332#discussion_r648157096

Comment:
I'd like to avoid doing that, given that `nobody` it's a catch-all account and maybe shared by different services. There are far too many ways that processes running with the same creds can influence each other, and it's better to avoid that as much as possible given that this is done for increased security, especially for long-running daemons. Plus there are further things that can be restricted by uid so it's useful to have separation.

I suppose I'd better provide a parameterized sv file, similar to what the freebsd pkg does [1], and let users configure the various options over a conf file as we do for the rest (e.g. like sshd). This would also have the system accounts hardcoded, so it would make more sense.

[1] https://cgit.freebsd.org/ports/tree/sysutils/spiped/files/spiped.in

next prev parent reply	other threads:[~2021-06-09 10:03 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-06 23:22 [PR PATCH] " ailiop-git
2021-06-08  2:16 ` [PR REVIEW] " ericonr
2021-06-08  8:38 ` ailiop-git
2021-06-09  0:56 ` sgn
2021-06-09 10:03 ` ailiop-git [this message]
2022-05-21  2:00 ` github-actions
2022-06-04  2:09 ` [PR PATCH] [Closed]: " github-actions

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210609100335.IZZV2pxjZikQ8BqHjp3n9UM80yE-NL48uyf4vBWW9m4@z \
    --to=ailiop-git@users.noreply.github.com \
    --cc=ml@inbox.vuxu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).