Why do some packages require their own user to run?

security linux permissions users

If I understand your question properly, you're asking why must an svn user be created for svn, and a www-data user created for apache, etc. Correct?

The reason is for security. The basic concept at play is called "isolation," and is a common practice. The main basic idea is that if each service runs as its own user, then if there is ever a security flaw or bug discovered in the program, the flaw would only be exploitable to the extent allowed by that user.

For example, suppose someobody figured out how to hack into SVN and delete all of your files. (This is not a real security flaw, and likely never will be, but just assume, for the sake of argument)... If you ran the SVN service as the 'root' user, then this theoretical hacker could start deleting all of your files. If, on the other hand, SVN requires its own user, then this theoretical hacker can only delete the files owned by the SVN user.

I hope this addresses your question... if not, please clarify, and I'll try again.

EDIT: To answer your comment...

It is usually/always possible to run any program as root. But it is usually inadvisable to do so, except when actually necessary. A very common approach to this sort of thing is to run every program with the least amount of permission necessary. This can also help prevent a bug in a program from inadvertently causing problems with other programs (another reason for security isolation, which I did not mention earlier).

However, there are times when a program must run as root, because it simply cannot do what it needs to do any other way. Some common tasks that require root privileges, and would thus be justification for not running as a separate user:

  • Accessing the system password database
  • Binding to (listening on) a privileged TCP port (i.e. ports 1-1023)
  • Interacting with the filesystem or certain hardware devices at a low level

Even within these (and other) categories, there are often ways to get around having to run as root. For instance, many network programs (Apache for instance) will start as the root user, then bind to port 80, then change users to www-data for the rest of its execution. So even when there are specific cases that require root access, often measures are taken to get around that requirement so that the process can run as a less-privileged user.


Because the authors of those programs choose to use separate user databases rather than using the system password database.

One reason why that is sometimes done is if the program needs to have access to the plaintext version of the password, perhaps because it is implementing a network protocol which requires that, as there is no way to access the plaintext passwords for system users as they are only held in hashed form.

That is true for example with apache, and by extension for svn when it is using HTTP basic authentication, as HTTP basic authentication requires access to the plaintext passwords.

Related

Find path to current JVM
How do I change the file association to a program with the same name in Windows 7?
How to turn off Windows 7 Automatic Updates?
What is the reason for CPUs being so small?
How to turn web pages in browser into black & white (Grayscale)?
How to determine application uses which registry value?
How can I copy files from and send files to a remote Linux machine on my Macbook Pro on a SSH connection?
Why do games need port forwarding but not applications like MSN Messenger?
usbmount — fails to automount
IIO sensor Proxy service hangs on shutdown
How to create working shortcuts
Installing fonts on Docker Container running Ubuntu 18.04