HPE Community
Operating System - HP-UX
1836894 Members
2522 Online
110111 Solutions
New Discussion

Re: Delete HP standard users.

 
SOLVED
Go to solution
roel_hawk
Occasional Advisor

‎04-22-2007 12:33 PM

‎04-22-2007 12:33 PM

Delete HP standard users.

Hi,

For security reasons, the management is planning to delete not used HP standard users. Can you tell me which HP standard users can be deleted and which are not. The standard users are:

daemon
bin
sys
adm
uucp
lp
nuucp
hpdb
nobody
www
smbnull
webadmin
iwww
owww
mysql
tftp

Will it cause any problems if we delete it? We are running SAP with oracle database in our HP-UX 11i server.

Thanks,

Roel
0 Kudos
Reply
5 REPLIES 5
A. Clay Stephenson
Acclaimed Contributor

‎04-22-2007 12:45 PM

‎04-22-2007 12:45 PM

Solution

Re: Delete HP standard users.

At a minimum, I would keep bin, sys, and lp. I would probably also add daemon to the list. For the others, it's an "it depends". For example, are you running uucp? (I doubt it.) The user www is often the effective user for the httpd daemon. Do you allow anonymous NFS? If so then you need nobody. I would suggest that you do a system-wide find looking for files owned by each of these users. Bear in mind that each of these users can (and should) be disabled so that file ownership is maintained but no one can actually login as this user. An often unforeseen problem with wholesale deletion of system accounts is that patch installation may fail --- and applications that assume the certain users exist on a system (whether active or not).
If it ain't broke, I can fix that.
Reply
Bill Hassell
Honored Contributor

‎04-22-2007 01:27 PM

‎04-22-2007 01:27 PM

Re: Delete HP standard users.

These are not real users and no one can login to these user names no matter what they do -- they are permanently locked out. These are classic Unix user names and IDs and I would suggest that the security recommendations be reviewed by an expert with Unix experience, not just Windows. Once you remove these IDs, your system will be no safer than before and not, the majority of your HP-UX files will have numeric owners (ie 2 rather than bin, 3 rather than sys, 4 rather than adm, etc). There *will* be side effects of this type of "security improvement" and it create sysadmin problems...almost impossible to predict. I would not remove these user names.


Bill Hassell, sysadmin
Reply
roel_hawk
Occasional Advisor

‎04-22-2007 02:10 PM

‎04-22-2007 02:10 PM

Re: Delete HP standard users.

Thanks Bill and Clay for your inputs. Is there any documentation about this where I can download. I will present it to management so that they will reconsider their decision.

thanks,

Roel
0 Kudos
Reply
Maxim Yakimenko
Super Advisor

‎04-24-2007 12:47 AM

‎04-24-2007 12:47 AM

Re: Delete HP standard users.

Hi, roel

I think it will be difficult to find any docs that can prove you do not need to delete this accounts - it is just common sense. And I can not imagine that these standard accounts are extremly dangerous - no one can "su" to them except root, no can login under them - cause they have no password. The only purpose, I think, of them to define access rules to files and dirs of software. Deleting of accounts is usefull, for example, on Oracle - scott/tiger :) in other words - standard user with known standard password, that can be used for logging in, that is not your case. Also, can anyone guarantee correct operation of installed software after deletion?

Search for everyone of them in docs or ask HP. "Fanaticism" is dangerous :)

0 Kudos
Reply
Jeff_Traigle
Honored Contributor

‎04-24-2007 01:12 AM

‎04-24-2007 01:12 AM

Re: Delete HP standard users.

tftp can safely be removed if you're not using the tftp service.

If you're not running a web server or mysql on the system, those can be eliminated (www, iwww, owww, mysql, webadmin). I'd actually suggest removing the associated software with swremove and these accounts should be cleaned up as part of the removal if HP did a good packaging job.

If you're not using CIFS/Samba, you don't need smbnull and that should be removed when you swremove that software.

I don't know what hpdb is associated with so I wouldn't touch it.

The others I wouldn't touch either. These are typical UNIX system accounts that are required for certain subsystems to work. Removing any of them could cause system malfunctions and outages. As Bill and ACS suggested, these failures might not be immediate or predictable, but something would likely fail at some point because of their removal. As long as the accounts are locked, they don't impact the security (from an access perspective) of the system at all.
--
Jeff Traigle
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.