[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Empty password field for libuuid & Debian-exim - Why not a security risk?

Upon installation, Debian includes users libuuid and Debian-exim in
/etc/shadow with an empty password field:

libuuid::14292:0:99999:7:::
Debian-exim::14377:0:99999:7:::

Although Debian-exim specifies /bin/false as a shell in /etc/passwd to
eliminate login, libuuid does not:

libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:103:105::/var/spool/exim4:/bin/false

Besides which, the use of /bin/false does not eliminate use of an
account in ways through ssh. e.g.
http://www.semicomplete.com/articles/ssh-security/

1) What stops one from logging into a Debian machine through libuuid
or Debian-exim by specifying a blank password?  Or, using ssh though
one of these users and a blank password?

2) For a greater degree of comfort or security, could I change the
password field to an '*' for these users without causing a problem?
And, where would I see that problem if it did occur (e.g. exim is not
installed on my system.)?

libuuid:*:14292:0:99999:7:::
Debian-exim:*:14377:0:99999:7:::

Thanks in advance.
Reply to: