RE: [suse-security] Info on passwords
Hi,
when i install suse my passwd file have a lot of users, like dbmaker and so on. How can i know these users password ? If you look into /etc/shadow you see something like this:
bin:*:8902:0:10000:-1:-1:-1: daemon:*:8902:0:10000:-1:-1:-1: lp:*:9473:0:10000:-1:-1:-1: uucp:*:0:0:10000:-1:-1:-1: games:*:0:0:10000:-1:-1:-1: The second field is for the password and as you can see it is a '*'. This means nobody can login as one of these users as they do not have a valid password.
Personally I think it is ridiculous that I have users: informix, db2[...], amande, virtuouso etc etc when I don't use or intend to use them on this boxen. Why should I have all these accounts and they are not even attached to *real* users or processes? Can you not make the installation remove the users that are not needed and install the users when an app does need them? Why this effort? It is no security risk to have these users because as stated above, they can not log in. If anything is done by these users someone (root) has to su to one of them.
to increase the system-security set the shell of this user to "/bin/false" There is no reason to do this.
Is there an account less dangerous than one whith a '*' in the pw field? - No. Greetings Malte Sandow
On Tue, Nov 30, 1999 at 10:21:06AM +0100, Sandow, Malte wrote:
Why this effort? It is no security risk to have these users because as stated above, they can not log in. If anything is done by these users someone (root) has to su to one of them.
Hi all, Let me share an anticdote, <lol>. I happened to get root access to a friends computer and noticed that he had a lot of users in his passwd file. So I added a user with a weird name that looked like a legitimate process and gave it a UID of 0. Anyway, with all those users in the passwd file, a user that does not know what they are looking for, will not catch something like what I had done, until it was too late. We could if this to death, but I personally prefer a small /etc/passwd. tflat -- _________________________________________________________ James F. Wilkus http://www.xnot.com/editek Licq 10933411 geek by nature, linux by choice
Hi,
Let me share an anticdote, <lol>. I happened to get root access to a friends computer and noticed that he had a lot of users in his passwd file. So I added a user with a weird name that looked like a legitimate process and gave it a UID of 0. Anyway, with all those users in the passwd file, a user that does not know what they are looking for, will not catch something like what I had done, until it was too late. We could if this to death, but I personally
Marc
participants (3)
-
James F Wilkus
-
Sandow, Malte
-
Thomas Biege