Re: pruning cruft in /etc/passwd and /etc/group
> > Over years of testing software, my /etc/passwd and /etc/group files are
> > littered with leftover junk. Here are some entries in /etc/passwd which
> > don't correspond to any actual or useful virtual users that I'm aware
> > of:
> >
> > backup bin daemon games irc list lp mail man messagebus operator
> > proxy sync sys uucp
>
> You're wrong. They're used by certain daemons. I am not going to list
> every entry against the likely candidate, either. Suffice it to say that
> they're part of tradition, and at a lower level, convey the underlying
> permissions about how a lot of applications operate.
If that's true, then 'find -user' should show me what files are
involved, and what their permissions are. I haven't gone down that road
yet.
> > As a general security measure, I want to prune the useless entries from
> > these files (and /etc/shadow too, of course). The problem is to be sure
> > that before I remove an entry, it's not going to make bad things happen.
>
> If you do that, you will break all your permissions on your system at a
> fundemental level!
See above. But I take your point; I certainly want to be careful about
doing this. That's why I wrote.
> Furthermore, I can't quite see where your argument or
> concern about security stems from. These are not "users" that login.
> They're static -- defined by the system (and fairly common across all
> Linux variants, and Unixes that I know of, bar one or two exceptions). The
> idea is flawed, and without reason.
Flawed maybe, but not without reason. Each line in /etc/shadow
represents, at least conceptually, a point of attack on the system.
More users, whether login or not, also means more complexity of
permissions and ownership, and more chance of getting something wrong
that creates a security hole. OTOH, it also tends to compartmentalize
privilege, which is good.
> [..snip..]
Snip away, but my question remains whether anyone has written any
guidance about this, besides your general and unuseful "don't touch
anything or you'll break something."
Reply to: