Re: System Accounts

To: debian-security@lists.debian.org
Subject: Re: System Accounts
From: Karl Hammar <karl@kalle.csb.ki.se>
Date: Mon, 14 Oct 2002 20:32:07 +0200
Message-id: <[🔎] 200210141832.g9EIW7NA013031@md469062c.utfors.se>
In-reply-to: Message from Adam Spickler <adam@whaddu.com> of "Mon, 14 Oct 2002 10:11:46 EDT." <[🔎] 20021014141157.3F52C1F729@murphy.debian.org>
References: <[🔎] 200210140947.42246.rtilley@vt.edu> <[🔎] 20021014141157.3F52C1F729@murphy.debian.org>

Adam Spickler <adam@whaddu.com>:
> Hello,
> In /etc/passwd verify that they are actually loginable.  Some
> deamons/programs, etc need an account to run, but don't actually
> need to login.  This would be for security reasons, so you don't run
> it as root, thus, making it harder for someone to exploit your
> server and gain root access.
> 
> -Adam
> 
> On Mon, Oct 14, 2002 at 09:47:42AM -0400, R. Bradley Tilley wrote:
> > Hello,
> > 
> > I am experimenting with a Debian system to be used as a firewall/gateway. I am 
> > using Debian 3.0 with the 2.4.18 kernel. I did a basic install selecting the 
> > Unix server task. Just wondering why there are so many accounts with shell 
> > access installed by default? 
> > 
> > games, irc, news, gnats, lp, uucp, operator, backup, etc.
> > 
> > For security reasons, I would like to remove these accounts, but I don't 
> > understand how the system uses them, or if it uses them at all. Can someone 
> > explain this? Also, what are the bare minimum accounts? 
> > 
> > Thank you,
> > Brad
...

Also, we use the login name <-> uid conversion present in /etc/passwd
and the ability to control access to files by virtue of using different
uid's for different purposes:

 # egrep '(games|irc|news|gnats|lp|uucp|operator|backup)' passwd
 games:x:5:100:games:/usr/games:/bin/sh
 lp:x:7:7:lp:/var/spool/lpd:/bin/sh
 news:x:9:9:news:/var/spool/news:/bin/sh
 uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
 backup:x:34:34:backup:/var/backups:/bin/sh
 operator:x:37:37:Operator:/var:/bin/sh
 irc:x:39:39:ircd:/var:/bin/sh
 gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh

But the shell don't have to be a valid login shell.
Setting the shell to /bin/false might help.
mysql and sshd do run on my box:

 # grep false passwd
 identd:x:100:65534::/var/run/identd:/bin/false
 telnetd:x:102:102::/usr/lib/telnetd:/bin/false
 cvs:x:103:103::/home/cvsroot:/bin/false
 smmsp:x:105:105:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
 oftpd:x:101:65534::/home/oftpd:/bin/false
 sshd:x:104:65534::/var/run/sshd:/bin/false
 mysql:x:106:106:MySQL Server:/var/lib/mysql:/bin/false
 dictd:x:107:107::/home/dictd:/bin/false

And the account should be disabled like in:

 # egrep '(games|irc|news|gnats|lp|uucp|operator|backup)' shadow
 games:*:11700:0:99999:7:::
 lp:*:11700:0:99999:7:::
 news:*:11700:0:99999:7:::
 uucp:*:11700:0:99999:7:::
 backup:*:11700:0:99999:7:::
 operator:*:11700:0:99999:7:::
 irc:*:11700:0:99999:7:::
 gnats:*:11700:0:99999:7:::

Regards,
/Karl

-----------------------------------------------------------------------
Karl Hammar                    Aspö Data           karl@kalle.csb.ki.se
Lilla Aspö 2340             +46  173 140 57                    Networks
S-742 94 Östhammar          +46 18 26 09 00                   Computers
Sweden                     +46  10 270 26 67                 Consulting
-----------------------------------------------------------------------

Reply to:

References:
- System Accounts
  - From: "R. Bradley Tilley" <rtilley@vt.edu>
- Re: System Accounts
  - From: Adam Spickler <adam@whaddu.com>

Prev by Date: Re: System Accounts
Next by Date: Re: System Accounts
Previous by thread: Re: System Accounts
Next by thread: No leer test
Index(es):
- Date
- Thread