Re: System Accounts
Adam Spickler <adam@whaddu.com>:
> Hello,
> In /etc/passwd verify that they are actually loginable. Some
> deamons/programs, etc need an account to run, but don't actually
> need to login. This would be for security reasons, so you don't run
> it as root, thus, making it harder for someone to exploit your
> server and gain root access.
>
> -Adam
>
> On Mon, Oct 14, 2002 at 09:47:42AM -0400, R. Bradley Tilley wrote:
> > Hello,
> >
> > I am experimenting with a Debian system to be used as a firewall/gateway. I am
> > using Debian 3.0 with the 2.4.18 kernel. I did a basic install selecting the
> > Unix server task. Just wondering why there are so many accounts with shell
> > access installed by default?
> >
> > games, irc, news, gnats, lp, uucp, operator, backup, etc.
> >
> > For security reasons, I would like to remove these accounts, but I don't
> > understand how the system uses them, or if it uses them at all. Can someone
> > explain this? Also, what are the bare minimum accounts?
> >
> > Thank you,
> > Brad
...
Also, we use the login name <-> uid conversion present in /etc/passwd
and the ability to control access to files by virtue of using different
uid's for different purposes:
# egrep '(games|irc|news|gnats|lp|uucp|operator|backup)' passwd
games:x:5:100:games:/usr/games:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
operator:x:37:37:Operator:/var:/bin/sh
irc:x:39:39:ircd:/var:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
But the shell don't have to be a valid login shell.
Setting the shell to /bin/false might help.
mysql and sshd do run on my box:
# grep false passwd
identd:x:100:65534::/var/run/identd:/bin/false
telnetd:x:102:102::/usr/lib/telnetd:/bin/false
cvs:x:103:103::/home/cvsroot:/bin/false
smmsp:x:105:105:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
oftpd:x:101:65534::/home/oftpd:/bin/false
sshd:x:104:65534::/var/run/sshd:/bin/false
mysql:x:106:106:MySQL Server:/var/lib/mysql:/bin/false
dictd:x:107:107::/home/dictd:/bin/false
And the account should be disabled like in:
# egrep '(games|irc|news|gnats|lp|uucp|operator|backup)' shadow
games:*:11700:0:99999:7:::
lp:*:11700:0:99999:7:::
news:*:11700:0:99999:7:::
uucp:*:11700:0:99999:7:::
backup:*:11700:0:99999:7:::
operator:*:11700:0:99999:7:::
irc:*:11700:0:99999:7:::
gnats:*:11700:0:99999:7:::
Regards,
/Karl
-----------------------------------------------------------------------
Karl Hammar Aspö Data karl@kalle.csb.ki.se
Lilla Aspö 2340 +46 173 140 57 Networks
S-742 94 Östhammar +46 18 26 09 00 Computers
Sweden +46 10 270 26 67 Consulting
-----------------------------------------------------------------------
Reply to: