Hi, This is good, but I am still not confortable with the way those accounts are actually used. For instance (and those are only examples):
- I see several (most) system accounts have no command (shell) assigned in /etc/passwd, or have /bin/false. I have read this means they are not supposed to log in. But then, how are they used? - Consider the /var/named directory. On my system it contains 3 files, all owned by system account 'named' with permissions rw-r--r-- (644). If I want to edit file named.local, say, I can su root and edit the file from there or from root, su named, because then the password is not asked for. Is there a better way? - From what you tell me below about the shutdown account, if I assign it the command /sbin/shutdown in /etc/passwd, and then a password, then I could su or login to it from a regular user account to shutdown the machine. Is this the general procedure? - How do I go about running a privilege-less program with nobody? - How do you go about assigning resources to system accounts? I have seen ulimit, but that's a shell built-in. - I tried usermod -U on a system account I don't use (postgres), and the second exclamation mark in /etc/shadow/ went away. But usermod -L did not bring it back. - I have seen (too) short hints on the net about deleting system accounts that I do not use. For one of them (can't recall which), there was a side-effect, that is, some cron script had to be edited after the account was removed. So I have many questions. I have searched the net only to find courses descriptions, hints about deleting unused accounts, and other generalities. Nothing comprehensive. Since a full install of Red Hat Deluxe 7.1 sets up 30 system accounts, assigned to specific UIDs below 100, does detailed documentation about them exist, describing the "mission" of each account, how it's used, which files/directories it typically owns, how to safely delete/recreate it, etc? Thanks, Marcel Frechette -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jeremy C. Reed Sent: Tuesday, December 11, 2001 06:26 To: [EMAIL PROTECTED] Subject: Re: Special accounts Marcel, On Mon, 10 Dec 2001, [iso-8859-1] Marcel Fréchette wrote: > I am looking for help with system accounts or special accounts. On the Red > Hat 7.1 Linux systems I installed on my machines, over 20 of them exist in > files passwd and shadow (eg shutdown, nobody, named). I want to understand > them more, why they are there, and of course how to use them. You will notice that different files and directories are owned by different users (and groups). This is part of the Unix model: different tasks should be ran (and related files owned) by different users. In addition, separate users can be assigned different resources (and capabilities) like amount of memory and number of file descriptors. (Plus there are various setuid or setgid executables which will run as a different user or group.) For example, nobody is the user to use when you want to run a program that has no privileges (except maybe to write to a tmp directory); nobody should own no files[1]. named is the user that the BIND name server daemon runs as; so if named was to crash or be exploited, only the files owned by named could possibly be compromised. I know on some Unix systems, a shutdown (or halt) user is simply available so a shutdown can be done when that user logs in. (A password would need to be set and the UID modified or shutdown tool changed so it does the right thing.) As you can see, the goal with having multiple users is to limit the amount of privilege needed. > Also, in the /etc/shadow file of the last system I installed, 15 of the 22 > system accounts have a single asterisk "*" in the encrypted password field, > and the remaining 7 have a double exclamation mark "!!" in there. What do > those values mean? When the asterisk is there, nothing can match it. An exclamation mark means a password (or account) is locked via usermod(8). Also, a single exclamation marks means that a account is not allowed for logins. So a double exclamation makes sure that if it was unlocked, it would still have an invalid passwd. They simply mean that no password is available (you can't login remotely with a password for these accounts). Jeremy C. Reed http://bsd.reedmedia.net/ -- BSD news and resources http://www.isp-faq.com/ -- find answers to your questions [1] Of course, many still run maintenance scripts that create temporary nobody-owned files or Apache (or CGI) that could create files owned by nobody. This is a security issue. _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
