On Wed, 2002-08-21 at 18:53, Eric Robinson wrote: > > It seems to me that removing fodder for brute-force password guessing > programs would be a good thing
Yeah, spare accounts that can be logged in to are bad. > and so would removing accounts for services > that I don't use or need. How? An entry in the password file that has no password is nothing more than a label corresponding to a UID. The likely outcomes of removing the accounts include, among other things: * Some rpm installation may fail in the future because a required user doesn't exist * Some daemon may fail to start because its user doesn't exist. * You may find a file that was owned by one of those users, and be less able to identify its purpose without the username, or rpm may begin to complain about those files during package verification. * You may mount an NFS volume and be unable to identify the owner of a file on the remote server. And on the other side: nothing. There's no positive benefit from removing the users. Why bother? > My question, really, was whether I can safely delete these accounts. Maybe. That's about as good as it gets. Some you might be really sure that you'll never use, like "gopher", but others you might be unable to predict your need for, like "daemon" or "adm". > FYI, I have forwarded your message to Gerhard Mourani, author of "Securing > and Optimizing Linux, Red Hat Edition - A Hand's On Guide." It was from > section 5.13 of that 400+ page tome that I received the suggestion to delete > those standard accounts. Yeah... that portion of the document has been discussed on these lists before. > I am naturally curious to hear his response to your > assertion. Since I note that you are a veteran of computer security (I've > seen your gspot patch on packetstorm) buahahahaaha Oh, crap... I thought that'd been forgotten :) Occasionally I show that program to people for a laugh. When I wrote that, I showed it to my boss... He said I'd created "an incredibly powerful hacking tool", but I'd never have gone that far. gspot does not qualify me as a veteran of computer security :) > I am willing to believe that either > of you could be right. For my part, I'm just the hapless sysadmin caught > between conflicting rules of best practice. At the moment, I am still > leaning toward implementing Gerhard's suggestion. Well, if he can produce a compelling argument, I'm more than willing to listen to it ;) -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
