A daemon ("service") is a program that runs all the time, providing some useful function or service to any other program. (A common example is the print-spooler, which lets you "queue up" printed output without waiting for the physical printer to finish.)
Daemons are like ordinary logged-on users in the sense that they run "as somebody." But, unlike logged-on users, they never log off.
When you log on, and enter the username 'joe', you run "as 'joe'" until you log off. Someone on another terminal who entered the username 'nancy' will run "as 'nancy'" until she
logs off. Well, in the same manner, the print-spooler or any other daemon "runs as <somebody>" even though it never logs-off. Like any other program on the system, its privileges and its access are defined and controlled by "who it logs-on as."
When a daemon "minds its own business," you don't have to mind too much what privileges it does or doesn't have ... although as a matter of principle you should limit it to only what it needs.
when a daemon accepts work from others, or (gawd help us all...)
from the Internet, we sadly must assume that the infidels who may (by whatever means known but to gawd) submit work to this daemon, must have (lawd, help us) evil
intentions. We must assume that they intend to wreak havoc upon our hard-working daemon if they can... blasting 'is hard-working mind utterly to bits and bending 'is hard labors to their most-evil intentions. And so the only way
that we possess to protect our gawd-fearing system from their most-evil designs is to strictly limit what our daemon can possibly do,
no matter what Evil Spirit may somehow possess him.
We do this by "the user that the daemon logs-on as."
The most-powerful user is root
, the Godhead of the system .. ommmm....
.. He Who Must Be Obeyed. A daemon that runs as this user, if trustworthy,
can do Anything. (But "gawd help us all, there is surely Hell To Pay" if, as is so often the case in Microsoft Windows, he turns out to be a "vile and dastardly rogue!")
And the least-powerful user is nobody
, the ultimate paeon, no better than anyone else. A daemon that runs as this user, if untrustworthy,
can do no harm. ("So let 'im
be 'a vile and dastardly rogue' if it pleases 'im or strokes 'is ego. What bloody harm
can 'e possibly do?")
is thy system (P.S. "be it Windows or Linux...") protected...
And if thou shouldst be offended by any supposed slight that you might concieve that I might have against thy religion, I prithee that thou shouldst kindly forbear, for surely I mean no slight against thee whatever. I mean all of this only but in good fun, and not against thee or thy devotions. }