Request For Candidates: Application Review Board

Bob Proulx bob at proulx.com
Mon Aug 30 17:50:29 BST 2010


Morten Kjeldgaard wrote:
> In the old days of UNIX, all applications in /bin and /usr/bin were  
> owned by a non-privileged user "bin", _except_ the ones that  
> specifically needed root privileges. These days, in all distributions  
> of Linux that I know of, all applications are owned by root, no matter  
> if they need special privileges or not. The wisdom of that approach  
> has always puzzled me.

The 'bin' user predates NFS.  It was thought that having the file
owned by a non-root user was slightly safer than having it owned by
the 'root' user.  Then even if it were accidentally setuid it wouldn't
be an privilege escalation to root.

Then in the timeline of development along comes NFS.  If the root disk
were exported read-write then a 'bin' user on an NFS client could
write to files owned by 'bin' on the NFS server.  NFS made all
non-root user file ownership unsafe.

To avoid that case the ownership of those files in post-NFS was
changed to 'root'.  A 'root' user on an NFS client cannot write to
'root' owned files on an NFS server because the root_squash converts
the 'root' uid to user 'nobody'.  It is important that the directory
be owned by root as well for this protection.

It may seem counter intuitive but in an NFS environment 'root' is the
only safe user due to the behavior of 'root_squash'.

Note also that in those days only whole filesystems could be exported.
It wasn't possible to only export a sub-tree of a filesystem.  (You
could try, but the filesystem root was actually exported instead.)
And since disks were expensive and small the terms "filesystem" and
"disk" were mostly interchangable.  This meant that in practical use
whole disks were exported read-write.  This was in the friendly old
days on trusted local area networks where everyone knew everybody so
isn't as bad as it sounds today.  But it explains why exporting the
data disk of an NFS server often meant that the /bin on the same disk
was potentially writable from NFS clients too.  But in actuality it
wasn't writable because it was owned by root and root_squash protected
it.  As long as all system files were owned by root.

Bob



More information about the ubuntu-devel mailing list