Re: pruning cruft in /etc/passwd and /etc/group

To: debian-user@lists.debian.org
Subject: Re: pruning cruft in /etc/passwd and /etc/group
From: Andrew Schulman <andrex@alumni.utexas.net>
Date: Tue, 11 Jan 2005 14:36:49 -0500
Message-id: <[🔎] MPG.1c4df4dff0551f769896b5@localhost>
References: <[🔎] MPG.1c4dc97dab05d6699896b4@localhost> <[🔎] 20050111170054.85092.qmail@web41103.mail.yahoo.com>

> > Over years of testing software, my /etc/passwd and /etc/group files are 
> > littered with leftover junk.  Here are some entries in /etc/passwd which
> > don't correspond to any actual or useful virtual users that I'm aware 
> > of:
> > 
> > backup bin daemon games irc list lp mail man messagebus operator 
> > proxy sync sys uucp
> 
> You're wrong. They're used by certain daemons. I am not going to list
> every entry against the likely candidate, either. Suffice it to say that
> they're part of tradition, and at a lower level, convey the underlying
> permissions about how a lot of applications operate.

If that's true, then 'find -user' should show me what files are 
involved, and what their permissions are.  I haven't gone down that road 
yet.

> > As a general security measure, I want to prune the useless entries from 
> > these files (and /etc/shadow too, of course).  The problem is to be sure
> > that before I remove an entry, it's not going to make bad things happen.
> 
> If you do that, you will break all your permissions on your system at a
> fundemental level! 

See above.  But I take your point; I certainly want to be careful about 
doing this.  That's why I wrote.

> Furthermore, I can't quite see where your argument or
> concern about security stems from. These are not "users" that login.
> They're static -- defined by the system (and fairly common across all
> Linux variants, and Unixes that I know of, bar one or two exceptions). The
> idea is flawed, and without reason.

Flawed maybe, but not without reason.  Each line in /etc/shadow 
represents, at least conceptually, a point of attack on the system.  
More users, whether login or not, also means more complexity of 
permissions and ownership, and more chance of getting something wrong 
that creates a security hole.  OTOH, it also tends to compartmentalize 
privilege, which is good.

> [..snip..]

Snip away, but my question remains whether anyone has written any 
guidance about this, besides your general and unuseful "don't touch 
anything or you'll break something."

Reply to:

Follow-Ups:
- Re: pruning cruft in /etc/passwd and /etc/group
  - From: Michael Marsh <michael.a.marsh@gmail.com>

References:
- pruning cruft in /etc/passwd and /etc/group
  - From: Andrew Schulman <andrex@alumni.utexas.net>
- Re: pruning cruft in /etc/passwd and /etc/group
  - From: Thomas Adam <thomas_adam16@yahoo.com>

Prev by Date: X-Ten X-Lite beta for Linux
Next by Date: Re: pruning cruft in /etc/passwd and /etc/group
Previous by thread: Re: pruning cruft in /etc/passwd and /etc/group
Next by thread: Re: pruning cruft in /etc/passwd and /etc/group
Index(es):
- Date
- Thread