Why do some packages require their own user to run?

7

0

Why in SVN, Apache, and many other programs, does the admin have to create a new user just for the server to use?

Yosef

Posted 2011-06-19T21:53:55.083

Reputation: 1 217

I edited your question to be more clear; but I fear I may have misunderstood your meaning entirely. Please clarify... if my edits were incorrect, I apologize, and hope you'll re-word your question to be more clear. – Flimzy – 2011-06-19T22:10:40.563

Answers

10

If I understand your question properly, you're asking why must an svn user be created for svn, and a www-data user created for apache, etc. Correct?

The reason is for security. The basic concept at play is called "isolation," and is a common practice. The main basic idea is that if each service runs as its own user, then if there is ever a security flaw or bug discovered in the program, the flaw would only be exploitable to the extent allowed by that user.

For example, suppose someobody figured out how to hack into SVN and delete all of your files. (This is not a real security flaw, and likely never will be, but just assume, for the sake of argument)... If you ran the SVN service as the 'root' user, then this theoretical hacker could start deleting all of your files. If, on the other hand, SVN requires its own user, then this theoretical hacker can only delete the files owned by the SVN user.

I hope this addresses your question... if not, please clarify, and I'll try again.

EDIT: To answer your comment...

It is usually/always possible to run any program as root. But it is usually inadvisable to do so, except when actually necessary. A very common approach to this sort of thing is to run every program with the least amount of permission necessary. This can also help prevent a bug in a program from inadvertently causing problems with other programs (another reason for security isolation, which I did not mention earlier).

However, there are times when a program must run as root, because it simply cannot do what it needs to do any other way. Some common tasks that require root privileges, and would thus be justification for not running as a separate user:

  • Accessing the system password database
  • Binding to (listening on) a privileged TCP port (i.e. ports 1-1023)
  • Interacting with the filesystem or certain hardware devices at a low level

Even within these (and other) categories, there are often ways to get around having to run as root. For instance, many network programs (Apache for instance) will start as the root user, then bind to port 80, then change users to www-data for the rest of its execution. So even when there are specific cases that require root access, often measures are taken to get around that requirement so that the process can run as a less-privileged user.

Flimzy

Posted 2011-06-19T21:53:55.083

Reputation: 4 168

I don't think he was asking why different services run as different system users, he was asking why some programs have their own user database that is separate from the system user database. – TomH – 2011-06-19T22:07:26.980

great answer!Can you please give example of programs that on linux that not use thier own user? – Yosef – 2011-06-19T22:09:07.370

@TomH: I saw your answer after I wrote mine... and maybe you're right. It's a bit confusing to me :) – Flimzy – 2011-06-19T22:09:29.757

@TomH no he isn't asking that :P – BloodPhilia – 2011-06-19T22:23:20.603

Well, technically many of those things can also be done using capabilities (CAP_NET_BIND_SERVICE, CAP_SYS_RAWIO and such). – Hello71 – 2011-06-19T22:58:24.667

4

Because the authors of those programs choose to use separate user databases rather than using the system password database.

One reason why that is sometimes done is if the program needs to have access to the plaintext version of the password, perhaps because it is implementing a network protocol which requires that, as there is no way to access the plaintext passwords for system users as they are only held in hashed form.

That is true for example with apache, and by extension for svn when it is using HTTP basic authentication, as HTTP basic authentication requires access to the plaintext passwords.

TomH

Posted 2011-06-19T21:53:55.083

Reputation: 2 558

Can you please write examples - its hard to me understand because I am not linux expert - I am linux intermediate level user (I am web programmer). – Yosef – 2011-06-19T22:05:17.200

Having to implement HTTP basic authentication is an example of why it may be necessary to have a separate user database. – TomH – 2011-06-19T22:08:23.937

This has nothing to do with the question! – BloodPhilia – 2011-06-19T22:21:37.407

Well it doesn't now the question has been edited @BloodPhilia... The original question was very unclear and could be read either way. – TomH – 2011-06-19T22:23:58.660

In TomH's defense, the original question was difficult to understand, and he answered the question before it was edited. – Flimzy – 2011-06-19T22:24:07.707

Asked: 2011-06-19T21:53:55.083

Viewed: 414 times

Active: 2012-11-06T21:32:18.907