HPE Community
Operating System - HP-UX
1834137 Members
2336 Online
110064 Solutions
New Discussion

disabling user ID's

 
Paul T. Green
Advisor

‎07-18-2001 07:59 AM

‎07-18-2001 07:59 AM

disabling user ID's

In my password file I find users like:
daemon
bin
sys
adm
uucp
lp
nuucp
hpdp
nobody
and www
are these ID's not a security issue?
can the be disabled? their password are *
should I leave them alone or should they be investigated individually?
We'd like to know a little bit about you for our files.... Paul Simon
0 Kudos
Reply
8 REPLIES 8
Richard Darling
Trusted Contributor

‎07-18-2001 08:04 AM

‎07-18-2001 08:04 AM

Re: disabling user ID's

Frank, these are standard groups on HP-UX and all have a special purpose. I wouldn't mess with them...
RD
0 Kudos
Reply
Paula J Frazer-Campbell
Honored Contributor

‎07-18-2001 08:04 AM

‎07-18-2001 08:04 AM

Re: disabling user ID's

Hi

These users are used by the system to give identity and ownership to system files /processes - do not delete them.


Paula
If you can spell SysAdmin then you is one - anon
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎07-18-2001 08:04 AM

‎07-18-2001 08:04 AM

Re: disabling user ID's

Hi Frank,

Leave these alone. Most are essential. As long as they have '*' in the password field they are
disabled. That is one of the stand idioms to disable an account. Passwd can never generate a '*' as a passwd and '*' no entered passwd would ever decrypt (hash actually) to '*'.

Regards, Clay
If it ain't broke, I can fix that.
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎07-18-2001 08:05 AM

‎07-18-2001 08:05 AM

Re: disabling user ID's

Since their passwords are a *, no one can log in directly as one of those id's. The only way to login as one of those id's is to su to it from root. Do NOT delete those id's. They are used for various daemons. All of the lp processes (lpsched, etc.) run as the lp user for example.

I personally don't consider them a risk with the * in the password field and they are needed by the OS.
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎07-18-2001 08:07 AM

‎07-18-2001 08:07 AM

Re: disabling user ID's

Frank:

These are standard users for UNIX. There is no risk associated with leaving them exactly as they are defined.

...JRF...
0 Kudos
Reply
Wodisch
Honored Contributor

‎07-18-2001 10:23 AM

‎07-18-2001 10:23 AM

Re: disabling user ID's

Hello Frank,

most are actively used to run processes (like "lp", and
"daemon"), some are justr there to own files (like "bin").
Perhaps the only ones you could remove would be
"uucp" (owner of the UUCP files) and "nuucp" (id to
run a UUCP-connection under). UUCP is/was the Unix-
to-Unix-CoPy system - a kind of modem based network.
If you do NOT use modesm (and never will) those could
be removed, propably, but as long these accounts are
locked (invalid shell, "*" as password) no problems are
to be expected!

HTH,
Wodisch
0 Kudos
Reply
Jim Turner
HPE Pro

‎07-18-2001 10:33 AM

‎07-18-2001 10:33 AM

Re: disabling user ID's

Frank,

One extra consideration might be to assign these users a shell of /bin/false. Totally redundant, and perhaps even ill-advised. Maybe Clay/Pat/JRF would care to comment?

Cheers,
Jim
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎07-18-2001 10:39 AM

‎07-18-2001 10:39 AM

Re: disabling user ID's

Hi Jim/Frank:

No I wouldn't do that either. For example,
when someone logs in as nuucp (or uucp) I definitely want uucico to start. I admit that with '*' as the passwd they won't be able to login but that's one more thing to mess up if I need to enable incoming uucp. Again, the '*' is a standard idiom and it has literally worked for decades.

Clay
If it ain't broke, I can fix that.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.