However, reading the man pages, this still leaves user files in other
locations extant on the system. This leads to the same problem I'd
alluded to earlier:
If you are in the habit of adding and deleting accounts to your
system frequently, you may end up giving a new user access to a
prior users still-extant files.
Deleting userids is IMO *very* bad practice. At best, it should be done
at some point *well after* the user's account has been rendered
inactive, preferably several quarters or a year after, and *only* after
all related data on the system have been otherwise attributed.
Overeager early deletion or modifications can lead to system, data, or
application failures. Providing transition time allows many of these
conditions to be caught *without* introducing risk or hardship on the
system.
Remember: security on Linux and Unix is fundamentally user-oriented,
and the system's token for user identity is the UID number, *not* the
semantic user name. A UID of 0 is equivalent to "root" wether the user
is named "tree", "shrub", or "h4x0r". Similarly, removing a UID and
later creating a new user with the same ID is equivalent to reinstating
the prior user. If you don't want to provide a new user access to a
former users data, don't recycle UIDs.
A disabled account, with a null password, and a nonfunctional default
shell (eg: /bin/false) is effectively removed from the system. The
only way the UID can be activated is by running an 'su' from root.
On Fri, Aug 18, 2000 at 06:21:44PM -0700, Tal Danzig wrote:
> Or, if you want to completly purge the user and the users home dir:
>
> userdel -r <username>
>
> Tal
>
>
> On Fri, 18 Aug 2000 16:39:51 -0700, kmself@ix.netcom.com said:
>
> > On Fri, Aug 18, 2000 at 08:38:21PM -0600, cls-colo spgs wrote:
> > > debs,
> > >
> > > what's the command for removing user accts?
> >
> > It's often better to *leave* the account intact, but to disable access
> > through it. This provides context for files and other residual data
> > from the user, which otherwise appear as owned by an unknown account
> > (numeric UID only). If you are in the habit of adding and deleting
> > accounts to your system frequently, you may end up giving a new user
> > access to a prior users still-extant files.
> >
> > You might want to look at the "passwd -l" option.
> >
> > --
> > Karsten M. Self <kmself@ix.netcom.com>
> http://www.netcom.com/~kmself
> > Evangelist, Opensales, Inc. http://www.opensales.org
> > What part of "Gestalt" don't you understand? Debian GNU/Linux
> rocks!
> > http://gestalt-system.sourceforge.net/ K5: http://www.kuro5hin.org
> > GPG fingerprint: F932 8B25 5FDD 2528 D595 DC61 3847 889F 55F2 B9B0
> >
>
>
> --
> Unsubscribe? mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null
>
--
Karsten M. Self <kmself@ix.netcom.com> http://www.netcom.com/~kmself
Evangelist, Opensales, Inc. http://www.opensales.org
What part of "Gestalt" don't you understand? Debian GNU/Linux rocks!
http://gestalt-system.sourceforge.net/ K5: http://www.kuro5hin.org
GPG fingerprint: F932 8B25 5FDD 2528 D595 DC61 3847 889F 55F2 B9B0
Attachment:
pgpwsQOHongqK.pgp
Description: PGP signature