Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 150159 - user nobody has / as homedir defined in /etc/passwd
Summary: user nobody has / as homedir defined in /etc/passwd
Status: RESOLVED WORKSFORME
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
: 212919 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-10-05 05:07 UTC by Toralf Förster
Modified: 2008-03-10 11:44 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Toralf Förster gentoo-dev 2006-10-05 05:07:50 UTC
tfoerste@n22 ~ $ grep nob /etc/passwd
nobody:x:65534:65534:nobody:/:/bin/false

Why does the user's home dir is "/" ?
The background of this question can be found here : https://sourceforge.net/tracker/?func=detail&atid=386750&aid=1488505&group_id=26275

Wouldn't it be better to use "/nonexistent" or so ?
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2006-10-05 05:19:21 UTC
/ is NOT owned by nobody, use ls. Changing summary.

# ls -ld /
drwxr-xr-x 21 root root 488 2006-10-05 14:16
Comment 2 yogeshbug 2006-10-05 05:37:27 UTC
And moreover default shell of nobody is /bin/false so it doesnot make any difference.
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2006-10-05 09:03:40 UTC
The LSB states:
http://refspecs.freestandards.org/LSB_3.1.0/LSB-Core-generic/LSB-Core-generic/usernames.html
"The location of the users home directory is also not defined by policy other than the recommendations of the Filesystem Hierarchy Standard and should be obtained by the getpwnam(), getpwnam_r(), getpwent(), getpwuid(), and getpwuid_r() functions."

FreeBSD-4.1:
nobody:*:65534:65534:Unprivileged user:/nonexistent:/sbin/nologin
Solaris 10:
nobody:x:60001:60001:uid no body:/:/bin/false

In short, I think anything depending that nobody has a nonexistent homedir is asking for trouble anyway.
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2006-10-05 17:02:14 UTC
here's Fedora Core 5:
nobody:x:99:99:Nobody:/:/sbin/nologin

I'd say that webdav is doing the wrong thing in trying to use the homedir of the nobody user. if it's after an empty directory, maybe use the /var/empty that ssh does?

could you please pass this Gentoo bug on to the upstream dav bug?
Comment 5 SpanKY gentoo-dev 2006-10-05 18:48:06 UTC
i dont see anything that needs to be changed
Comment 6 Jakub Moc (RETIRED) gentoo-dev 2008-03-10 11:29:34 UTC
*** Bug 212919 has been marked as a duplicate of this bug. ***
Comment 7 Julien Cayzac 2008-03-10 11:44:25 UTC
So, if I understand well, you're saying that all the programs that access ~user without handling the special case where user is nobody are broken and nothing should be handled in Gentoo's default nobody homedir policy?

I see at least two arguments against that:
1/ Third party programs have no way of knowing the "unprivileged" user login (it can be "nobody" as well as "noone", "unprivileged", ... and several account may be unprivileged).
2/ If I follow the logic, gcc should not output any warning when compiling third party programs tat use old, unsecure libc functions such as strcmp(). Not mentioning its runtime buffer overflow protection abilities, since well written programs should not be vulnerable to buffer overflow attacks.

On the other way, I cannot see anything that would break if nobody's homedir were changed from / to /nonexistent by default.