However, reading the man pages, this still leaves user files in other locations extant on the system. This leads to the same problem I'd alluded to earlier: If you are in the habit of adding and deleting accounts to your system frequently, you may end up giving a new user access to a prior users still-extant files. Deleting userids is IMO *very* bad practice. At best, it should be done at some point *well after* the user's account has been rendered inactive, preferably several quarters or a year after, and *only* after all related data on the system have been otherwise attributed. Overeager early deletion or modifications can lead to system, data, or application failures. Providing transition time allows many of these conditions to be caught *without* introducing risk or hardship on the system. Remember: security on Linux and Unix is fundamentally user-oriented, and the system's token for user identity is the UID number, *not* the semantic user name. A UID of 0 is equivalent to "root" wether the user is named "tree", "shrub", or "h4x0r". Similarly, removing a UID and later creating a new user with the same ID is equivalent to reinstating the prior user. If you don't want to provide a new user access to a former users data, don't recycle UIDs. A disabled account, with a null password, and a nonfunctional default shell (eg: /bin/false) is effectively removed from the system. The only way the UID can be activated is by running an 'su' from root. On Fri, Aug 18, 2000 at 06:21:44PM -0700, Tal Danzig wrote: > Or, if you want to completly purge the user and the users home dir: > > userdel -r <username> > > Tal > > > On Fri, 18 Aug 2000 16:39:51 -0700, kmself@ix.netcom.com said: > > > On Fri, Aug 18, 2000 at 08:38:21PM -0600, cls-colo spgs wrote: > > > debs, > > > > > > what's the command for removing user accts? > > > > It's often better to *leave* the account intact, but to disable access > > through it. This provides context for files and other residual data > > from the user, which otherwise appear as owned by an unknown account > > (numeric UID only). If you are in the habit of adding and deleting > > accounts to your system frequently, you may end up giving a new user > > access to a prior users still-extant files. > > > > You might want to look at the "passwd -l" option. > > > > -- > > Karsten M. Self <kmself@ix.netcom.com> > http://www.netcom.com/~kmself > > Evangelist, Opensales, Inc. http://www.opensales.org > > What part of "Gestalt" don't you understand? Debian GNU/Linux > rocks! > > http://gestalt-system.sourceforge.net/ K5: http://www.kuro5hin.org > > GPG fingerprint: F932 8B25 5FDD 2528 D595 DC61 3847 889F 55F2 B9B0 > > > > > -- > Unsubscribe? mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null > -- Karsten M. Self <kmself@ix.netcom.com> http://www.netcom.com/~kmself Evangelist, Opensales, Inc. http://www.opensales.org What part of "Gestalt" don't you understand? Debian GNU/Linux rocks! http://gestalt-system.sourceforge.net/ K5: http://www.kuro5hin.org GPG fingerprint: F932 8B25 5FDD 2528 D595 DC61 3847 889F 55F2 B9B0
Attachment:
pgpwsQOHongqK.pgp
Description: PGP signature