Unprivileged default user for "tiny" daemons?

From: Felix Palmen <zirias_at_FreeBSD.org>
Date: Mon, 08 May 2023 16:39:41 UTC
Hi all,

TL;DR: Is there a recommendation for a generic unprivileged default user
to use with tiny daemons that won't need any file permissions?

I stumbled over that question when adding security/tlsc, a port of my
own very tiny daemon that does a simple little thing, without accessing
any files (except for its own pidfile). Of course, the best thing to do
is to add a service account to UIDs, but looking at it, I found this

# Please pick an empty slot when available and also consider base values from
# /usr/src/etc/master.passwd

This made me think: When would it be appropriate *not* to allocate a
dedicated UID? I'd personally answer that with "when your daemon doesn't
need to access any files". And I see how it makes sense, because the
space available for service accounts is limited to UIDs < 1000.

So I started to explore the tree a bit with 'git grep'. It seems almost
40 ports use 'nobody' as their default user. So I did the same.

Also discussing this briefly on IRC, there was the suggestion 'daemon'
would be a better fit. I can't find a single port using that. Does
anything in base use it, is it still recommended?

Furthermore, the concern was expressed that 'nobody' is used by NFS e.g.
as the fake owner of files owned by root, with the intention that nobody
should be able to access these. So, a daemon running as 'nobody' might
accidentally get access to lots of files on mounted NFS shares?

I tend to think now that 'daemon' should really be the way to go when
you don't need a dedicated account. Am I overlooking something? Any
other comments?

Cheers, Felix

 Felix Palmen <zirias@FreeBSD.org>     {private}   felix@palmen-it.de
 -- ports committer (mentee) --            {web}  http://palmen-it.de
 {pgp public key}  http://palmen-it.de/pub.txt
 {pgp fingerprint} 6936 13D5 5BBF 4837 B212  3ACC 54AD E006 9879 F231