Title. Just had this baseless yet possible idea on my head and I’d like to know how wrong it is? Since afaik, “nobody” has absolutely zero permissions… other than the ones given by the user. Pretty sure I’m missing something vital or important, but… I’m completely fine being called dumb every now and then.

Thanks in advance.

  • Max-P@lemmy.max-p.me
    18·
    1 year ago

    Nobody is not a special user like root, it's a regular user that just happens to not have permissions on anything. It can still read everything, write everywhere it's 0777, use /tmp. It's no different than making a new user, except that one by convention isn't used. You shouldn't run things as that user, as that eventually just makes it the user that runs everything. It's supposed to be used by NFS and you should always prefer making a new user instead.

    I would just use a rootless container, that way the whole system is invisible to wine apart from the tiny slice of files you mounted in it.

  • nyan@lemmy.cafeEnglish
    4·
    1 year ago

    If you’re looking for some way to restrict what a few specific programs can do without going to containers, consider firejail. It will likely do a better job than a home-rolled solution.

  • chayleaf@lemmy.ml
    4·
    1 year ago

    executable ownership doesn’t matter, what matters is the rights of the user running the binary, and whatever sandboxing you have configured. So use Flatpak or Firejail.