On Jo, 10 dec 20, 09:10:42, Mark Fletcher wrote: > > This brings up an interesting thought. In the situation where you align > user IDs across a number of machines for ths purpose, you'll inevitably > end up with situations where users are created on some of the machines > only for the purpose of keeping the IDs in synch so they can all play > nice with the NFS. adduser --uid 1234 <username> As far as I know the user creation step can be skipped in the Debian Installer, if for any reason uid 1000 is to remain unallocated, otherwise just use debootstrap/mmdebstrap instead. > Left alone, having unneeded users on a given machine could be a > security threat, at least in the sense that it provides a greater than > necessary attackable surface area. What can be done about that? > Obviously one thing would be setting the shell to /dev/null in the > password file of those machines that don't need a given user, to > prevent interactive logins. What else could be done? Is there a way to > put an account "beyond use", in any way including su, sudo etc, while > still having the machine recognise the user for being a user and > therefore not messing up the mapping of user IDs on shared resources > like NFS? In other words, create the sense of "yes this user exists, > but they are not welcome here"? passwd -l/--lock <username> See 'man passwd' for details, limitations and alternatives. Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser
Attachment:
signature.asc
Description: PGP signature