This archive contains answers to questions sent to Unidata support through mid-2025. Note that the archive is no longer being updated. We provide the archive for reference; many of the answers presented here remain technically correct, even if somewhat outdated. For the most up-to-date information on the use of NSF Unidata software and data services, please consult the Software Documentation first.
Russ, Thanks! Security is the big issue . . . the decoders/* calls are the only ones I have not dealt with to run as a service as opposed to running in user space (i.e. ldm); we've long since replaced scour as it was a hazard early on. But you answered the main thing - which is the philosophy of UNIDATA; we want all of our installations to look as much like a straight LDM installation as possible, and in keeping with that, we'll continue using an LDM account. Stonie On Tuesday 12 November 2002 17:18, Russ Rew wrote: > >To: address@hidden > > From: "Stonie R. Cooper" <address@hidden> > > >Subject: Re: 20021108: Importance of LDM account > >Organization: Planetary Data, Incorporated > > Stonie, > > > I've been a user of LDM, one way or another, since the early 1990's. > > > > In the old days, it seemed more obvious why the LDM suite of applications > > were sequestered to an "ldm" account. > > > > It doesn't seem so obvious anymore. What is your feeling, or Unidata's > > for that matter, on LDM being treated more like a service (like sendmail > > or apache) where root owns the ldm tree, and the group is set to a common > > met-apps group - like "data"? > > I think running the LDM system as root would invite security problems. > Each decoder process would be run as root, and getting the right EXEC > line in the pqact.conf configuration file would be enough to > compromise a system. Running the crufty old shell script which is > "scour" as root easily delete more than was intended, if an error were > made in the scour configuration file. When you design things to be > run as root, you have to take a lot more care in checking for security > problems and the consequences of mistakes than when you are protected > by running as a pseudo-user such as "ldm". I don't see the benefits > to be gained by running as root that would balance the costs of > redesigning everything with security in mind. > > --Russ > > _____________________________________________________________________ > > Russ Rew UCAR Unidata Program > address@hidden http://www.unidata.ucar.edu -- Stonie R. Cooper Planetary Data, Incorporated ph. (402) 782-6611 "Growth for the sake of growth is the ideology of the cancer cell." - Edward Abbey