FS#43964 - [minidlna] create a user/group instead of using nobody, which is not secure
Attached to Project:
Community Packages
Opened by Daniel Micay (thestinger) - Thursday, 26 February 2015, 16:04 GMT
Last edited by Sergej Pupykin (sergej) - Thursday, 26 February 2015, 16:49 GMT
Opened by Daniel Micay (thestinger) - Thursday, 26 February 2015, 16:04 GMT
Last edited by Sergej Pupykin (sergej) - Thursday, 26 February 2015, 16:49 GMT
|
Details
Among other issues, any process running as `nobody` can
ptrace (debug) another process running as `nobody`. Arch
enables ptrace_scope by default now, but it can't be relied
upon because it's commonly disabled for compatibility or to
attach debuggers to your own processes without root
access.
It's better to have 2 services running as nobody than both running as root, but it's unnecessary to leave services vulnerable to each other like this. Using nobody rather than root is better in the case where the service is exploited, but it makes the service itself more vulnerable. |
This task depends upon