Hi!

On Mon, Mar 06, 2006 at 02:59:49PM -0700, Theo de Raadt wrote:
>> The suggested patch did this only if the *real* UID was root.
>> So it doesn't give any user access to user nobody, but only drops
>> from *real* root to nobody. In fact, the patch was after the
>> normal privilege dropping sequence, so even if the condition
>> if (getuid() == 0)
>> were omitted, it couldn't change from non-root to nobody.

>I still do not agree at all with doing this. Sorry. "nobody" is
>special, and should not be misused like this.

My statement was neutral towards the question whether the original
suggestion should be implemented as is, in a modified way or not
at all. It was just to point out what seemed like a misunderstanding
to me.

IIRC OpenBSD usually uses separate users for each app that drops/separates
privileges. So a consequential implementation would use a user _ping
instead of reusing nobody in a questionable way. But of course the
question is valid whether that's worthwhile compared to the theoretical
risk (low under OpenBSD anyway) that root runs ping and the other host
could exploit it using crafted response packets.

Kind regards,

Hannah.