SUMMARY: Safe to disable unused accounts?

From: Jonathan Williams (jonathw_at_shubertorg.com)
Date: 09/23/04

  • Next message: Deacy, Michael: "Password shadowing" 
    Date: Thu, 23 Sep 2004 14:43:04 -0400
To: Tru64-UNIX-Managers@ornl.gov

    Wow, nice and fast responses from Ann Majeske and Dr. Blinn.

    The short answer is yes, feel free to lock these accounts, but DO NOT REMOVE
    THEM.

    And for the longer version, I'll paste Ann's response:

    "Sure, its OK to lock accounts that will not be logged into,
    including the accounts you listed below. There are a
    number of ways you can lock them in Enhanced Security
    including the administrative lock (setting u_lock vs u_lock@)
    and setting the u_pwd field to a bogus value, see "man
    prpasswd for description of the fields. I'm not sure I'd
    set them as retired (u_retired) as that may do more than
    just prevent logins.

    Most of these users should not be removed as they are used
    by the system for a variety of things, some of which are
    UNIX legacy and/or industry standards. Even if you
    don't use the functionality there are files out there owned
    by these users, so if you create new users with the UIDs
    assigned to these users you could be giving those users
    unintended access and/or priviledges.

    The only ones that I know could be deleted are uucp and
    uucpa, as long as you don't use uucp, of course. But there's
    still the issue of potentially reassigning the UID to someone
    else, so I'm not sure I'd do more than disable these as well."

    Thanks so much. :)

    Jonathan Williams
    Unix Systems Administrator
    The Shubert Organization, Inc.

    ----- Original Message -----
    From: "Jonathan Williams" <jonathw@shubertorg.com>
    To: <Tru64-UNIX-Managers@ornl.gov>
    Sent: Thursday, September 23, 2004 2:00 PM
    Subject: Safe to disable unused accounts?

    | Hi. I'm running Tru64 5.1b, pk 3 on a variety of ES machines.
    |
    | I was just wondering if it is OK to disable (ie lock) some of the system
    default
    | acounts. The accounts in question are:
    |
    | auth
    | bin
    | cron
    | daemon
    | lp
    | tcb
    | uucp
    | uucpa
    |
    | Apparently these accounts have never ever been accessed, so I would assume
    it's
    | safe to lock them (maybe even remove then entirely), but just wanted to be
    sure.
    | TIA
    |
    | Jonathan Williams
    | Unix Systems Administrator
    | The Shubert Organization, Inc.
    |
    |
    |

  • Next message: Deacy, Michael: "Password shadowing"

    Relevant Pages

    • Re: Account Lockouts
      ... And it's not a problem to do it "timely" - For each captcha you want solved, ... An attack designed to lock out all the accounts is only a problem if you've ... refuse requests that would result in a lockout. ...
      (SecProg)
    • Re: Locking the failed login attemp
      ... >> Is there anyway to lock a user account after, say 3, failed login attempts? ... All someone would need is a list of accounts and they could ... > lock them all out. ... If I were bound and determined to accomplish that with a custom PAM, ...
      (comp.unix.solaris)
    • Re: Switch user after auto signon using TweakUI
      ... They have other accounts for them to use ... It seems that you don't really want to go to the "Switch User" panel - ... lines into logon.bat which you must place into your startup directory. ... will lock up your machine about 300 seconds after logging on. ...
      (microsoft.public.windowsxp.general)
    • RE: Is there a way to LOCK or SECURE File Folders / Directories...
      ... I really don't know what ACL stands for. ... >> multiple accounts, and with those different accounts one can't go into the ... So why would one, like me, want to lock certain ... >> someone who enjoys snooping comes along and noses all in the folders I have. ...
      (microsoft.public.platformsdk.security)