HPE Community
Operating System - HP-UX
1752801 Members
5797 Online
108789 Solutions
New Discussion юеВ

Re: Disable system userid???

 
EY
Occasional Contributor

тАО09-22-2010 06:03 PM

тАО09-22-2010 06:03 PM

Disable system userid???

Hi,

The auditor requested us to disable or remove the access to the shell for the following users:
1. bin
2. daemon
3. sys
4. uucp
5. ip
6. nuucp

Can I do that and how? will it be affecting the system after i dsiable these users?

Thanks for your advices.

Regards,
Oee
0 Kudos
Reply
4 REPLIES 4
Jim Walls
Trusted Contributor

тАО09-22-2010 06:40 PM

тАО09-22-2010 06:40 PM

Re: Disable system userid???

passwd -l

Will lock the user's login.

All the logins in your list are usually locked by default.

passwd -s to see the status.

I've no experience of what might break if you change the default shell for these admin type users. But you could experiment if you have a suitable test platform - be prepared to boot to single user if it gets out of hand.

uucp and nuucp usually have a special shell /usr/lbin/uucp/uucico; so it may not be a good idea to mess with them if you use uucp (does anyone still use uucp?)
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО09-22-2010 07:10 PM

тАО09-22-2010 07:10 PM

Re: Disable system userid???

DO not remove these user IDs. The auditors cannot login to any of these user IDs -- they were disabled when your system was installed and unless someone changed these logins, they are still disabled. You can take the extra steps to lock the user IDs with the passwd command and change the login shell to /usr/bin/false.

These are special user IDs and no one will ever login to them. But they represent system ownership of specific files. Removing them may be detrimental to your system.


Bill Hassell, sysadmin
0 Kudos
Reply
sarfaraj ahmad
Trusted Contributor

тАО09-22-2010 10:01 PM

тАО09-22-2010 10:01 PM

Re: Disable system userid???

Hi,

please dont remove or disable these system generated users.

for the audit point of view these user accounts increase the likelihood of compromise by providing attackers with more user accounts to check for security holes.

Better idea to change their login shell by /usr/bin/false or /dev/null or /bin/false and finally cross check /etc/passwd file for changes. Now these users will not be able to get any shell in the system for normal operation.
0 Kudos
Reply
Hakki Aydin Ucar
Honored Contributor

тАО09-22-2010 11:10 PM

тАО09-22-2010 11:10 PM

Re: Disable system userid???

They are special and already must be disabled, if you want to see if they are locked;
# passwd -a -s

Thus who is locked or PS (PS means normal pwd account) will be shown.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.