Re: Bits from the release team: the plans for etch
Stephen Frost <firstname.lastname@example.org> writes:
> * Thomas Bushnell BSG (email@example.com) wrote:
>> Stephen Frost <firstname.lastname@example.org> writes:
>> > Leaving around unused accounts is plainly wrong too, and also a
>> > potential security risk.
>> Can you outline the risk please?
> Sure. Locking accounts isn't necessairly perfect.
What is an account in the password file? It's nothing more than the
ability to log in under a given UID. How is a starred password
anything other than perfect locking of the account?
> Checking that an account is locked requires going through more of
> the authentication system than just checking if the account exists.
> What happens if an admin gives a password to a system account and
> then forgets about the account after purging the software it's
> associated with?
The same thing that happens if he creates a setuid program using that