Hey all - I have what might be a silly question. I want to run as the user 'nobody'. But I can't quite login as such.

Details...

I want to run firefox from my USB key plugged into several different Linux boxes at various times. I've written a small script to configure it to think my 'home' directory is on the usb key (so local files and temp cache go there) and it runs beautifully when i'm the user 'alan' (that's me). Since 'alan' exists on the local machine and 'alan' is what i mounted the usb drive's uid flags with, everything's kosher.

However, thinking long term, not every Linux box that I want to run firefox on from this usb key has an 'alan' user so I want to come up with a way to mount the usb drive with executable and writable permissions for a common user that exists on all linux systems (or at least most). I know 'root' is a possibility but I **really** don't want to do that. The only other user that I know exists almost everywhere is the 'nobody' user. Here's where it gets sticky...

The mount command I use for the usb drive (and the one I'd like to be able to memorize and use everywhere I go) is ...

mount -t vfat /dev/sda1 /media/usb -o user,rw,uid=nobody,gid=nobody,exec

At that point, i've already created /media/usb, and i'm 'root' running the mount command.

Ok, so after this, I have a valid mount in /media/usb with execute permissions for 'nobody'. Great -- now the question is how do I run as 'nodoby'.

When I do 'su nobody' it prompts for a password. I tried blank, the root's password, and even 'alan's password. Nothing seems to work. I'm on SuSE 9.1 and my /etc/passwd file for 'nobody' is this...

nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash

So, 'nobody' has a home dir and runs bash for its login shell. I just can't figure out the password for it.

So, my question(s) are this --

1) what is the password for 'nobody', and
2) is this a good way to accomplish what I'm trying to do? - that is be able to write and execute programs on a mobile usb key on any Linux computer?


Thanks in advance!
alan@suse91-linux:/media/usb> _

"nobody" is not a login user. It's called "nobody" because it's really nobody, i.e. not a real account. It exists so that processes with privilege revoking can change their EUID to that of "nobody". It's very uncommon to have a real shell, usually it's set to /usr/bin/false or /sbin/nologin. The home directory is usually set to some place "safe", although /var/lib seems pretty weird (often it's set to a directory that doesn't actually exist, or just completely unset).

I don't really understand what you're trying to accomplish with this... Are you trying to use a universal "guest" account? If so, you have to rely on whatever "guest" capabilities are provided by the specific distribution you're using (as long as it hasn't been disabled). If it was possible to login to any box with "nobody", that would be a serious security vulnerability.

If your current idea requires root access to each machine and creating /media/usb, why not look into using group permissions and mount the drive so all members of a new group can access it?

I was thinking of setting up the mount to allow full access to the group 'users' which I believe is - for the most part - universal among linux desktop distros. that way, no matter what regular user was logged in, as long as they're a member of 'users', everything would be ok.

That reply regarding allowing 'nobody' to login arbitrarily is a good point. I didn't think about that.

I think I'll tackle this from a more traditional angle and work with the group rights.

One final question - where's a good place to explain the difference between the rights assigned with the mount flags (exec, rw) versus the flags that appear in the file system when i run 'ls'. I've seen files marked with the 'x' flag on my usb key set and that refuse to execute because the 'exec' flag wasn't specified during mounting. I'm still not 100% clear as to what the differences and reasons for this are. I'm getting the hang of it but still not fully there.


Thanks

File system mount flags override file permissions. If a file system is mounted "noexec" you won't be able to execute anything on that file system, regardless of permissions. Same thing if you mount the system "ro", you won't be able to write to files even if the file itself has the 'w' flag.

Ok, so if the mount command stomps over the permissions set specifically on the drive you're mounting, that implies that only the mount command can specify the mounting permissions (rw versus ro, exec versus noexec, uid, gid, and so forth). Does this also mean that ALL directories and files share the same permissions on the mounted drive? In other words, if I mount my usb key into /media/usb and use the "rw,exec" flags, that means that ALL files are read/write, and ALL files are executable, even if they're not executable normally like .txt files? That's what I'm currently observing but was wondering if this is the default for 'mount' and if this can be modified somehow. I understand most USB keys use some FAT variant for the file system. Would formatting it to ext2 fix any of this?

1 Edit your /etc/passwd

find the line for nobody and change the last part of that line from /bin/false to /bin/bash

2 login as root

3 su to nobody


voila your nobody (couldnt resist the pun!)






PS remember to change your /etc/passwd back to /bin/false -- and remember to be very carefull in /etc/passwd !!!!! you can hose your system if you do too much screwing around in there.

No, you should never give "nobody" a shell! Many processes run as "nobody" for security, preceisely because you cannot login as that user. You would severely compromise security if you did that. Even the most trivial attacker could get a shell by exploiting one of your processes running as "nobody".

alan8373, all file systems are "mounted", so your question doesn't make much sense in that context. The parameters to mount only specify how files "may" be accessed. Obviously file permissions are used to check whether a user is allowed to execute, write, etc.. What "mount" restrictions do is say whether that file system is cabable of supporting that type of operation. It certainly doesn't mean all files are treated as the same permissions!

Look at it this way, you might have a car that can drive 25 MPH, 50 MPH, or 100 MPH. Now you can drive a 100 MPH car on a certain road, but if the road only allows you go to 50 MPH than that's the fastest you can go. Similarly, if you have a car that can only manage 25 MPH, it doesn't make a bit of difference what road you drive on, because you get 25 MPH regardless. Notice that the speed of your car doesn't limit any other cars on the road, but the speed capacity of the road does limit anyone that could potentially go faster. That's the difference between file permissions and mount parameters.