topic Re: /etc/passwd users in Operating System - HP-UX

/etc/passwd users

Noa Harel_2 — Wed, 27 Nov 2002 12:01:01 GMT

There are some users that seem to be a little non-secured. I want to remove them or to give them a false shell. Is this going to help securing the system? Is it enough to comment the users?
Can I delete them completely?
Hi all, I'm a dummy in HP-UX.
I'm trying to secure my system a little.
Here are the users:
daemon:*:1:5::/:/sbin/sh
bin:*:2:2::/usr/bin:/sbin/sh
sys:*:3:3::/:/bin/false
adm:*:4:4::/var/adm:/sbin/sh
uucp:*:5:3::/var/spool/uucppublic:/usr/lbin/uucp/uucico
nuucp:*:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucico
hpdb:*:27:1:ALLBASE:/:/sbin/sh
www:*:30:1::/:
tftp:,.:510:1:Trivial FTP user:/home/tftpdir:/usr/bin/false

Re: /etc/passwd users

Robert Thorneycroft — Wed, 27 Nov 2002 12:12:58 GMT

You really don't want to be messing about with any of these users else you will probably find your system becomes unbootable or at least unstable.

The above users are all system users with standard security settings and should not normally cause any security risks.

I hope this helps,

Robert Thorneycroft

Re: /etc/passwd users

Pete Randall — Wed, 27 Nov 2002 12:14:07 GMT

No! Don't do it!

You can't log in as these users anyway and they are critical for various system functions. Leave then as is.

Pete

Re: /etc/passwd users

Noa Harel_2 — Wed, 27 Nov 2002 12:21:27 GMT

Thanks guys.

Re: /etc/passwd users

Keith Buck — Wed, 27 Nov 2002 16:47:33 GMT

As the others said, don't do it.

On a few of those users, you can probably safely change the shells to /bin/false. However, it won't really increase the security of the system. The * in the password field will prevent anyone from logging in. DO NOT set a password for these users.

If you're interested in securing your system, try HP-UX Bastille. The tool is supported by HP and explains the tradeoffs of implementing security features. It's also supposed to be very educational (I hope it is for you.)

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA

Re: /etc/passwd users

Steven Sim Kok Leong — Fri, 29 Nov 2002 06:11:44 GMT

Hi,

If you take a look at the CIS HP-UX Level-1 Benchmark 1.03 from http://www.cisecurity.org (a well accredited consortium of renown members in the security arena), you will note that there are certain system accounts which you can actually disable out of the list you provided above. According to CIS, Level-I Benchmark settings/actions are unlikely to cause an interruption of service to the operating system or the applications that run on it.

Extracted here for your convenience:
=======================================
9 User Accounts and Environment

9.1 Purge or lock system accounts

Action:

for user in uucp nuucp adm daemon bin lp nobody noaccess hpdb useradm
do /usr/lbin/modprpw -w "*" "$user"
/usr/sbin/usermod ???s /bin/false "$user"
done

Discussion:

Access to the uucp and nuucp accounts is only needed when the deprecated Unix to
Unix Copy (UUCP) service is in use. The other listed accounts should never require
direct access. The above action locks the passwords to these accounts (on systems
converted to Trusted Mode only) and sets the login shell to /bin/false.
=======================================

Hope this helps. Regards.

Steven Sim Kok Leong

Re: /etc/passwd users

Tim Maletic — Mon, 02 Dec 2002 14:30:39 GMT

There is some value in both locking the account (with "*" in the password field) and setting the shell to an invalid shell (such as /bin/false), since some applications don't need a real shell, and some applications don't authenticate via /etc/passwd.

For example, I've seen systems with /bin/false in /etc/shells (don't ask me why), in which case disabled accounts could use ftp. And if an attacker could drop a .rhosts file in, say, /var/adm, then they could rlogin as adm with the above /etc/passwd config.

-Tim