Re: pruning cruft in /etc/passwd and /etc/group

[Michael Marsh <michael.a.marsh@gmail.com>]

On Tue, 11 Jan 2005 14:36:49 -0500, Andrew Schulman
<andrex@alumni.utexas.net> wrote:
> Each line in /etc/shadow
> represents, at least conceptually, a point of attack on the system.
> More users, whether login or not, also means more complexity of
> permissions and ownership, and more chance of getting something wrong
> that creates a security hole.  OTOH, it also tends to compartmentalize
> privilege, which is good.

The privilege compartmentalization is the point with these users and
groups.  As far as points of attack, this is only true if those users
have passwords and a real shell configured.  Otherwise, they're just
domains in which to run programs that _might_ have exploits so that
(say) an arbitrary code execution can't be used to give an attacker a
root shell, thereby mitigating existing security holes.  Yes, it does
complicate the permissions and ownership configurations, but more
often than not it's pretty obvious which files and directories should
be owned by and accessible to which programs.

-- 
Michael A. Marsh
http://www.umiacs.umd.edu/~mmarsh