Jump to navigation Jump to search
This article relies too much on references to primary sources. (May 2016) (Learn how and when to remove this template message)
In many Unix variants, "nobody" is the conventional name of a user account which owns no files, is in no privileged groups, and has no abilities except those which every other user has. Some systems also define an equivalent group "nogroup".
- The pseudo-user "nobody" and group "nogroup" are used, for example, in the NFSv4 implementation of Linux by idmapd, if a user or group name in an incoming packet does not match any known username on the system.
- It was once common to run daemons as nobody, especially servers, in order to limit the damage that could be done by a malicious user who gained control of them. However, the usefulness of this technique is reduced if more than one daemon is run like this, because then gaining control of one daemon would provide control of them all. The reason is that processes owned by the same user have the ability to send signals to each other and use debugging facilities to read or even modify each other's memory. Modern practice, as recommended by the Linux Standard Base, is to provide better security isolation by creating a separate user account for each daemon.
- Linux Standard Base, Core Specification 3.1 section 21.2: User & Group Names, linux-foundation.org