1834137 Members
2336 Online
110064 Solutions
New Discussion

disabling user ID's

 
Paul T. Green
Advisor

disabling user ID's

In my password file I find users like:
daemon
bin
sys
adm
uucp
lp
nuucp
hpdp
nobody
and www
are these ID's not a security issue?
can the be disabled? their password are *
should I leave them alone or should they be investigated individually?
We'd like to know a little bit about you for our files.... Paul Simon
8 REPLIES 8
Richard Darling
Trusted Contributor

Re: disabling user ID's

Frank, these are standard groups on HP-UX and all have a special purpose. I wouldn't mess with them...
RD
Paula J Frazer-Campbell
Honored Contributor

Re: disabling user ID's

Hi

These users are used by the system to give identity and ownership to system files /processes - do not delete them.


Paula
If you can spell SysAdmin then you is one - anon
A. Clay Stephenson
Acclaimed Contributor

Re: disabling user ID's

Hi Frank,

Leave these alone. Most are essential. As long as they have '*' in the password field they are
disabled. That is one of the stand idioms to disable an account. Passwd can never generate a '*' as a passwd and '*' no entered passwd would ever decrypt (hash actually) to '*'.

Regards, Clay
If it ain't broke, I can fix that.
Patrick Wallek
Honored Contributor

Re: disabling user ID's

Since their passwords are a *, no one can log in directly as one of those id's. The only way to login as one of those id's is to su to it from root. Do NOT delete those id's. They are used for various daemons. All of the lp processes (lpsched, etc.) run as the lp user for example.

I personally don't consider them a risk with the * in the password field and they are needed by the OS.
James R. Ferguson
Acclaimed Contributor

Re: disabling user ID's

Frank:

These are standard users for UNIX. There is no risk associated with leaving them exactly as they are defined.

...JRF...
Wodisch
Honored Contributor

Re: disabling user ID's

Hello Frank,

most are actively used to run processes (like "lp", and
"daemon"), some are justr there to own files (like "bin").
Perhaps the only ones you could remove would be
"uucp" (owner of the UUCP files) and "nuucp" (id to
run a UUCP-connection under). UUCP is/was the Unix-
to-Unix-CoPy system - a kind of modem based network.
If you do NOT use modesm (and never will) those could
be removed, propably, but as long these accounts are
locked (invalid shell, "*" as password) no problems are
to be expected!

HTH,
Wodisch
Jim Turner
HPE Pro

Re: disabling user ID's

Frank,

One extra consideration might be to assign these users a shell of /bin/false. Totally redundant, and perhaps even ill-advised. Maybe Clay/Pat/JRF would care to comment?

Cheers,
Jim
A. Clay Stephenson
Acclaimed Contributor

Re: disabling user ID's

Hi Jim/Frank:

No I wouldn't do that either. For example,
when someone logs in as nuucp (or uucp) I definitely want uucico to start. I admit that with '*' as the passwd they won't be able to login but that's one more thing to mess up if I need to enable incoming uucp. Again, the '*' is a standard idiom and it has literally worked for decades.

Clay
If it ain't broke, I can fix that.