topic Re: Unnecessary preinstalled users in Operating System - Linux

Unnecessary preinstalled users

Bruce Copeland — Tue, 30 Mar 2004 10:45:23 GMT

Red Hat (and Fedora) Linux distributions ship with quite a few preinstalled users (bin, mail, ftp, nobody, etc.) I know what purpose quite a few of these serve, but I don't have a clue about some of the others. Does anyone know if there is a list anywhere that describes each of these users and the consequences of removing them? For obvious security reasons, I'd like to get rid of the unnecessary users.

Bruce

Re: Unnecessary preinstalled users

Nicolas Dumeige — Tue, 30 Mar 2004 10:52:17 GMT

Why don't you just check that those account have /nologin as login shell ?

Therefore, you would not take any risk that a software will need this account and you would save he time needed to check and "clean" those accounts

Re: Unnecessary preinstalled users

Bruce Copeland — Tue, 30 Mar 2004 13:19:43 GMT

Most of them already have /sbin/nologin a their login, but some of them like sync and halt are installed with /sbin/"username". I guess my question is 'Why do some of these come preinstalled with an actual login?'

Bruce

Re: Unnecessary preinstalled users

Steven E. Protter — Tue, 30 Mar 2004 13:46:06 GMT

Most of the users are there for very good reasons. The user needs to be there to own binaries, run a daemon and such.

I've found that on these users I can set a password on them without effecting the underlying application.

It is possible for these users to be exploited. Thats why I generally build my systems off line, then take note of what those users are.

I would not delete many of these users as functionality will be effected.

Its better to have the user than not. Lets say i have a user called named. He runs the DNS/BIND daemon. It takes some configuration to make that happen, but if someone exploits DNS/BIND under this scenario they get named priviledges, not root priveledges.

Hope this helps.

SEP

Re: Unnecessary preinstalled users

Bruce Copeland — Tue, 30 Mar 2004 15:52:32 GMT

Thanks SEP.

I knew that many of these users were associated with daemons and that removing them might break something. I'll see if I can (one at a time) add passwords to some of them. That's easy to do on individual Linux boxes. The server is more problematic, since it rarely gets completely rebooted, and I think a reboot is probably what it takes to fully test a change in user status.

I'm still a little surprised there isn't more organized documentation on these various preinstalled users. Seems like a security hole since most individual Linux users and a fair number of administrators won't have the know-how or patience to investigate this issue.

Bruce

Re: Unnecessary preinstalled users

Olivier Drouin — Tue, 30 Mar 2004 16:10:06 GMT

If they have /sbin/nologin (or /bin/false) shell you shouldnt worry about them, they will not be exploited. If they have other programs as shell just keep these programs up to date.

I agreee with you tough that it should be better documented since this is very distribution specific.

Re: Unnecessary preinstalled users

Stuart Browne — Tue, 30 Mar 2004 18:59:39 GMT

By default, these users will have a /etc/shadow password entry of '!!'. Simply put, someone can try hack that account (using password/dictionary attacks) and never break it.

'!!' is shadow for "Never will a password match this!". There is no possible string that will encrypt to match it.

Apart from the fact that they have '/sbin/nologin' as their shell, someone would have had to already hacked into the system in order to utilize these accounts.

Putting a password on these accounts actually reduces their protection.

Re: Unnecessary preinstalled users

Bruce Copeland — Tue, 30 Mar 2004 23:51:10 GMT

Thanks Stuart. That clears things up AND saves me some work.

Bruce

Re: Unnecessary preinstalled users

Steven E. Protter — Wed, 31 Mar 2004 01:17:31 GMT

What Stuart points out was new to me. My advice was based on Linux 7.3 experience, where i had a few default users hacked.

Point totals do not tell the whole Story. Stuart is the most knowledgeable person I've run into in this forum.

If Stuart ever disagrees with me, go with him first.

SEP

Re: Unnecessary preinstalled users

Manuel Wolfshant — Wed, 31 Mar 2004 03:39:09 GMT

On workstations, I have always deleted some of the default users, such as news/ftp/gopher and similar. These are users used by some specific servers and whenever I knew those servers will never run on a particular machine, I deleted that specific user(s). Never had problems because those users dissapeared during the last 4 years. A hint in choosing the unnecessary users: their home directory, as specified by /etc/passwd, does not actually exist. It is created and populated with files only when the server software is installed.

As a sidenote, I am still curious what is the "operator" user meant for. I've seen several machines hacked, where "operator" was used as a backdoor for root. OTOH, never seen any software making use of this specific user.