setuid/setgid nobody

Discussion in 'all things UNIX' started by Gullible Jones, Nov 27, 2012.

Thread Status:
Not open for further replies.
  1. I have heard a lot about setuid/setgid being evil, bad, and dangerous to mess with. This seems obvious enough when one is talking about using them to elevate privileges.

    But what about for reducing privileges? I realize this is mostly academic, because GTK programs refuse to run when setuid/setgid... But wouldn't running an internet-facing program as setuid and setgid nobody (or better yet, setuid/setgid as its own unprivileged user) be an effective way of automatically sandboxing it? Especially on single-user systems?
     
Loading...
Thread Status:
Not open for further replies.