Bug 150159

Summary:	user nobody has / as homedir defined in /etc/passwd
Product:	Gentoo Linux	Reporter:	Toralf Förster <toralf>
Component:	[OLD] Core system	Assignee:	Gentoo's Team for Core System packages <base-system>
Status:	RESOLVED WORKSFORME
Severity:	normal	CC:	julien.cayzac+gentoo, yogaishrs
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Toralf Förster gentoo-dev

2006-10-05 05:07:50 UTC

tfoerste@n22 ~ $ grep nob /etc/passwd
nobody:x:65534:65534:nobody:/:/bin/false

Why does the user's home dir is "/" ?
The background of this question can be found here : https://sourceforge.net/tracker/?func=detail&atid=386750&aid=1488505&group_id=26275

Wouldn't it be better to use "/nonexistent" or so ?

Comment 1 Jakub Moc (RETIRED) gentoo-dev

2006-10-05 05:19:21 UTC

/ is NOT owned by nobody, use ls. Changing summary.

# ls -ld /
drwxr-xr-x 21 root root 488 2006-10-05 14:16

Comment 2 yogeshbug 2006-10-05 05:37:27 UTC

And moreover default shell of nobody is /bin/false so it doesnot make any difference.

Comment 3 Robin Johnson archtester

2006-10-05 09:03:40 UTC

The LSB states:
http://refspecs.freestandards.org/LSB_3.1.0/LSB-Core-generic/LSB-Core-generic/usernames.html
"The location of the users home directory is also not defined by policy other than the recommendations of the Filesystem Hierarchy Standard and should be obtained by the getpwnam(), getpwnam_r(), getpwent(), getpwuid(), and getpwuid_r() functions."

FreeBSD-4.1:
nobody:*:65534:65534:Unprivileged user:/nonexistent:/sbin/nologin
Solaris 10:
nobody:x:60001:60001:uid no body:/:/bin/false

In short, I think anything depending that nobody has a nonexistent homedir is asking for trouble anyway.

Comment 4 Robin Johnson archtester

2006-10-05 17:02:14 UTC

here's Fedora Core 5:
nobody:x:99:99:Nobody:/:/sbin/nologin

I'd say that webdav is doing the wrong thing in trying to use the homedir of the nobody user. if it's after an empty directory, maybe use the /var/empty that ssh does?

could you please pass this Gentoo bug on to the upstream dav bug?

Comment 5 SpanKY gentoo-dev

2006-10-05 18:48:06 UTC

i dont see anything that needs to be changed

Comment 6 Jakub Moc (RETIRED) gentoo-dev

2008-03-10 11:29:34 UTC

*** Bug 212919 has been marked as a duplicate of this bug. ***

Comment 7 Julien Cayzac 2008-03-10 11:44:25 UTC

So, if I understand well, you're saying that all the programs that access ~user without handling the special case where user is nobody are broken and nothing should be handled in Gentoo's default nobody homedir policy?

I see at least two arguments against that:
1/ Third party programs have no way of knowing the "unprivileged" user login (it can be "nobody" as well as "noone", "unprivileged", ... and several account may be unprivileged).
2/ If I follow the logic, gcc should not output any warning when compiling third party programs tat use old, unsecure libc functions such as strcmp(). Not mentioning its runtime buffer overflow protection abilities, since well written programs should not be vulnerable to buffer overflow attacks.

On the other way, I cannot see anything that would break if nobody's homedir were changed from / to /nonexistent by default.