* Thomas Bushnell BSG (tb@becket.net) wrote: > Stephen Frost <sfrost@snowman.net> writes: > > > Leaving around unused accounts is plainly wrong too, and also a > > potential security risk. > > Can you outline the risk please? Sure. Locking accounts isn't necessairly perfect. Checking that an account is locked requires going through more of the authentication system than just checking if the account exists. What happens if an admin gives a password to a system account and then forgets about the account after purging the software it's associated with? Not everything which does authentication using /etc/passwd checks /etc/shells. Some authentication systems don't use passwords too (Kerberos). Not everything on the system uses PAM and may not follow the same account-locking rules as PAM. Even sudo scripts left around might cause problems if the account still exists, where if the account just didn't exist the sudo script would fail from the get-go. Thanks, Stephen
Attachment:
signature.asc
Description: Digital signature