Marcel, On Mon, 10 Dec 2001, [iso-8859-1] Marcel Fréchette wrote:
> I am looking for help with system accounts or special accounts. On the Red > Hat 7.1 Linux systems I installed on my machines, over 20 of them exist in > files passwd and shadow (eg shutdown, nobody, named). I want to understand > them more, why they are there, and of course how to use them. You will notice that different files and directories are owned by different users (and groups). This is part of the Unix model: different tasks should be ran (and related files owned) by different users. In addition, separate users can be assigned different resources (and capabilities) like amount of memory and number of file descriptors. (Plus there are various setuid or setgid executables which will run as a different user or group.) For example, nobody is the user to use when you want to run a program that has no privileges (except maybe to write to a tmp directory); nobody should own no files[1]. named is the user that the BIND name server daemon runs as; so if named was to crash or be exploited, only the files owned by named could possibly be compromised. I know on some Unix systems, a shutdown (or halt) user is simply available so a shutdown can be done when that user logs in. (A password would need to be set and the UID modified or shutdown tool changed so it does the right thing.) As you can see, the goal with having multiple users is to limit the amount of privilege needed. > Also, in the /etc/shadow file of the last system I installed, 15 of the 22 > system accounts have a single asterisk "*" in the encrypted password field, > and the remaining 7 have a double exclamation mark "!!" in there. What do > those values mean? When the asterisk is there, nothing can match it. An exclamation mark means a password (or account) is locked via usermod(8). Also, a single exclamation marks means that a account is not allowed for logins. So a double exclamation makes sure that if it was unlocked, it would still have an invalid passwd. They simply mean that no password is available (you can't login remotely with a password for these accounts). Jeremy C. Reed http://bsd.reedmedia.net/ -- BSD news and resources http://www.isp-faq.com/ -- find answers to your questions [1] Of course, many still run maintenance scripts that create temporary nobody-owned files or Apache (or CGI) that could create files owned by nobody. This is a security issue. _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
