topic Re: disabling user ID's in Operating System - HP-UX

disabling user ID's

Paul T. Green — Wed, 18 Jul 2001 14:59:33 GMT

In my password file I find users like:
daemon
bin
sys
adm
uucp
lp
nuucp
hpdp
nobody
and www
are these ID's not a security issue?
can the be disabled? their password are *
should I leave them alone or should they be investigated individually?

Re: disabling user ID's

Richard Darling — Wed, 18 Jul 2001 15:04:07 GMT

Frank, these are standard groups on HP-UX and all have a special purpose. I wouldn't mess with them...
RD

Re: disabling user ID's

Paula J Frazer-Campbell — Wed, 18 Jul 2001 15:04:51 GMT

Hi

These users are used by the system to give identity and ownership to system files /processes - do not delete them.

Paula

Re: disabling user ID's

A. Clay Stephenson — Wed, 18 Jul 2001 15:04:56 GMT

Hi Frank,

Leave these alone. Most are essential. As long as they have '*' in the password field they are
disabled. That is one of the stand idioms to disable an account. Passwd can never generate a '*' as a passwd and '*' no entered passwd would ever decrypt (hash actually) to '*'.

Regards, Clay

Re: disabling user ID's

Patrick Wallek — Wed, 18 Jul 2001 15:05:11 GMT

Since their passwords are a *, no one can log in directly as one of those id's. The only way to login as one of those id's is to su to it from root. Do NOT delete those id's. They are used for various daemons. All of the lp processes (lpsched, etc.) run as the lp user for example.

I personally don't consider them a risk with the * in the password field and they are needed by the OS.

Re: disabling user ID's

James R. Ferguson — Wed, 18 Jul 2001 15:07:54 GMT

Frank:

These are standard users for UNIX. There is no risk associated with leaving them exactly as they are defined.

...JRF...

Re: disabling user ID's

Wodisch — Wed, 18 Jul 2001 17:23:33 GMT

Hello Frank,

most are actively used to run processes (like "lp", and
"daemon"), some are justr there to own files (like "bin").
Perhaps the only ones you could remove would be
"uucp" (owner of the UUCP files) and "nuucp" (id to
run a UUCP-connection under). UUCP is/was the Unix-
to-Unix-CoPy system - a kind of modem based network.
If you do NOT use modesm (and never will) those could
be removed, propably, but as long these accounts are
locked (invalid shell, "*" as password) no problems are
to be expected!

HTH,
Wodisch

Re: disabling user ID's

Jim Turner — Wed, 18 Jul 2001 17:33:58 GMT

Frank,

One extra consideration might be to assign these users a shell of /bin/false. Totally redundant, and perhaps even ill-advised. Maybe Clay/Pat/JRF would care to comment?

Cheers,
Jim

Re: disabling user ID's

A. Clay Stephenson — Wed, 18 Jul 2001 17:39:19 GMT

Hi Jim/Frank:

No I wouldn't do that either. For example,
when someone logs in as nuucp (or uucp) I definitely want uucico to start. I admit that with '*' as the passwd they won't be able to login but that's one more thing to mess up if I need to enable incoming uucp. Again, the '*' is a standard idiom and it has literally worked for decades.

Clay