Tux

...making Linux just a little more fun!

A thread about nobody

Rick Moen [rick at linuxmafia.com]
Fri, 23 Jun 2006 12:42:04 -0700

Being submitted as grist for the TAG-publication mill. Attached.

Date: Fri, 23 Jun 2006 11:14:32 -0700
From: Bill Kendrick <nbs@sonic.net>
To: TAG <tag@lists.linuxgazette.net>
To: LUGOD Tech <vox-tech at lists.lugod.org>
Subject: Re: [vox-tech] Purpose of "nobody" user?
Yesterday, I was helping Melissa add a user account to her laptop. I decided to just point her at KDE's "Kuser" (K->System->"User Manager") GUI tool, mostly because I wanted to see it. ;) ("adduser" is not hard to use, but I figured most non-Unix-types would go hunting a GUI tool, so wanted to familiarize myself with it.)

One thing she noticed was the user "nobody", which sounded supsicious. And it had quite an insane UID (65534), compared to other user accounts. Her first thought was to Google for 'nobody 65534', and found many, many posts where people had obviously dumped their /etc/passwd to a mailing list for help with this-or-that. Based on this, she seemed happy enough to know it's just some "thing" that Linux does/has.

For the life of me, I couldn't really explain what "nobody" is used for. I'm familiar with it in terms of NCSA httpd and Apache, but beyond that... A little help, here? :^D

Thx!

-bill! (PS - Google for '"nobody user" OR "user nobody" purpose linux' wasn't as helpful as I had hoped. :^/ I also tried throwing 'FAQ' in there ;^) )

From: Rod Roark <rod@sunsetsystems.com>
To: TAG <tag@lists.linuxgazette.net>
To: LUGOD Tech <vox-tech at lists.lugod.org>
Date: Fri, 23 Jun 2006 11:50:20 -0700
Subject: Re: [vox-tech] Purpose of "nobody" user?

On Friday 23 June 2006 11:14, Bill Kendrick wrote:

> For the life of me, I couldn't really explain what "nobody" is used for.
> I'm familiar with it in terms of NCSA httpd and Apache, but beyond that...
> A little help, here?  :^D
I'll take a stab at this.

The way I would explain it is that a *nix system has a variety of users that are non-human.

They are users in the sense that they run processes that do not require privileges to other parts of the system, and they maintain resources (e.g. files and directories) to which other parts of the system do not need access. Therefore it is convenient and sensible to isolate them from human users and from each other in the same way that human users are isolated from each other.

The general idea is that your system is more secure if access is not granted where it is not needed. A non-human user may be a security risk if, for example, it runs a program containing a flaw that lets someone break in and run tasks with the privileges of that user.

I suppose someone chose the name "nobody" for one of these users simply to emphasize that it's not human. But there are many other examples of such users, like apache, bind, daemon, mail, mysql and news.

I hope this is not too condescending... I wrote it this way so that newbies may also find it useful.

Rod

Date: Fri, 23 Jun 2006 12:27:11 -0700
From: Bill Kendrick <nbs@sonic.net>
To: TAG <tag@lists.linuxgazette.net>
To: "lugod's technical discussion forum" <vox-tech at lists.lugod.org>
Subject: Re: [vox-tech] Purpose of "nobody" user?
On Fri, Jun 23, 2006 at 11:50:20AM -0700, Rod Roark wrote:

> I suppose someone chose the name "nobody" for one of these users
> simply to emphasize that it's not human.  But there are many other
> examples of such users, like apache, bind, daemon, mail, mysql and
> news.
> 
> I hope this is not too condescending... I wrote it this way so that
> newbies may also find it useful.

No, not at all. Looking all the other dozens of users (lp, sys, etc.), I explained to Melissa that it was exactly this... putting up fences between processes and files, so they can't clobber each other. (Which would normally happen accidentally, or via an exploit.)

So it sounds like "nobody" is just more of a catch-all for this kind of thing. (e.g., back in the day, Apache ran as "nobody". These days, it's usually as an "apache" or "httpd" user.)

Seem like a reasonable way of explaining it?

-- -bill! bill at newbreedsoftware.com http://www.newbreedsoftware.com/

Date: Fri, 23 Jun 2006 12:39:25 -0700
To: vox-tech at lists.lugod.org
From: Rick Moen <rick@linuxmafia.com>
To: TAG <tag@lists.linuxgazette.net>
Subject: Re: [vox-tech] Purpose of "nobody" user?
Quoting Bill Kendrick (nbs at sonic.net):

> 
> Yesterday, I was helping Melissa add a user account to her laptop.
> I decided to just point her at KDE's "Kuser" (K->System->"User Manager")
> GUI tool, mostly because I wanted to see it. ;)  ("adduser" is not hard to
> use, but I figured most non-Unix-types would go hunting a GUI tool,
> so wanted to familiarize myself with it.)
> 
> One thing she noticed was the user "nobody", which sounded supsicious.
> And it had quite an insane UID (65534), compared to other user accounts.
> Her first thought was to Google for 'nobody 65534', and found many, many
> posts where people had obviously dumped their /etc/passwd to a mailing list
> for help with this-or-that.  Based on this, she seemed happy enough to
> know it's just some "thing" that Linux does/has.
> 
> For the life of me, I couldn't really explain what "nobody" is used for.
> I'm familiar with it in terms of NCSA httpd and Apache, but beyond that...
> A little help, here?  :^D

I note with appreciation Rod's separate explanation. Mine will probably suffer some inaccuracies because it attempts to reconstruct ancient *ix lore from faulty memory.

The "nobody" account is one that became a traditional feature long ago, as a "sandbox" user-ID/username for running automated processes under without elevated privilege and without special access to any specific real user's files. It's typically set to have either a locked password or no valid shell, so as to not be an entry point for attackers.

I think that it's maybe (I was going to say "probably", but then thought better) largely superfluous (but harmless) at this point, because it eventually dawned on Unix admins that two separate automated processes could have a common-mode security failure or other form of disasterous interaction, such that it's better to set up a distinct username for each such process to run under -- which is why Apache httpd now typically runs as user "httpd" or such, for example.

Now, I can't swear that something won't break on your system, either today or later on, if you were hypothetically to remove or further restrict the "nobody" user. Some scripts might be running as "nobody" from time to time -- maybe cronjobs?

Flashback: Early in my use of Unixes, I decided one day to "tighten system security", and eventually got around to setting the various non-real usernames in /etc/passwd to have shell /bin/false instead of /bin/sh, /tmp/[username] for their shells, and so on. Big mistake: A whole lot of crucial system maintenance broke -- because those usernames turned out to need a real shell to do their work, though they didn't have to be valid for login.


Top    Back


Rick Moen [rick at linuxmafia.com]
Fri, 23 Jun 2006 13:53:13 -0700

Jim Stockford replied to my mail:

From: jim stockford <jim@well.com>
To: TAG <tag@lists.linuxgazette.net>
Date: Fri, 23 Jun 2006 12:50:34 -0700
To: lugod's technical discussion forum <vox-tech at lists.lugod.org>
Subject: Re: [vox-tech] Purpose of "nobody" user?
the "insane" UID (65534) is -2, where 0 can be thought of as 00000 and -1 is one less, which in CPU registers is all 1 values, i.e. 65535 and -2 is one less than -1, i.e. 65535 - 1 = 65534

I forget the user name for -1 and here the nobody user name has -2 for a UID (that's what 65534 is in 16-bit land).

There's one big shop I know of that uses nobody (65534) as an application name, I believe for a remote log in. In the case of a laptop that has no apps remotely logging in, there might be some human log in scheme that permits remote logging in as the user nobody and with the highly restricted file and command access that (should be) associated with that account.


Top    Back