HPE Community
Operating System - HP-UX
1832853 Members
3002 Online
110047 Solutions
New Discussion

Re: /etc/passwd users

 
SOLVED
Go to solution
Noa Harel_2
Advisor

‎11-27-2002 04:01 AM

‎11-27-2002 04:01 AM

/etc/passwd users

There are some users that seem to be a little non-secured. I want to remove them or to give them a false shell. Is this going to help securing the system? Is it enough to comment the users?
Can I delete them completely?
Hi all, I'm a dummy in HP-UX.
I'm trying to secure my system a little.
Here are the users:
daemon:*:1:5::/:/sbin/sh
bin:*:2:2::/usr/bin:/sbin/sh
sys:*:3:3::/:/bin/false
adm:*:4:4::/var/adm:/sbin/sh
uucp:*:5:3::/var/spool/uucppublic:/usr/lbin/uucp/uucico
nuucp:*:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucico
hpdb:*:27:1:ALLBASE:/:/sbin/sh
www:*:30:1::/:
tftp:,.:510:1:Trivial FTP user:/home/tftpdir:/usr/bin/false
0 Kudos
Reply
6 REPLIES 6
Robert Thorneycroft
Valued Contributor

‎11-27-2002 04:12 AM

‎11-27-2002 04:12 AM

Solution

Re: /etc/passwd users

You really don't want to be messing about with any of these users else you will probably find your system becomes unbootable or at least unstable.

The above users are all system users with standard security settings and should not normally cause any security risks.

I hope this helps,

Robert Thorneycroft
Reply
Pete Randall
Outstanding Contributor

‎11-27-2002 04:14 AM

‎11-27-2002 04:14 AM

Re: /etc/passwd users

No! Don't do it!

You can't log in as these users anyway and they are critical for various system functions. Leave then as is.

Pete

Pete
Reply
Noa Harel_2
Advisor

‎11-27-2002 04:21 AM

‎11-27-2002 04:21 AM

Re: /etc/passwd users

Thanks guys.
0 Kudos
Reply
Keith Buck
Respected Contributor

‎11-27-2002 08:47 AM

‎11-27-2002 08:47 AM

Re: /etc/passwd users

As the others said, don't do it.

On a few of those users, you can probably safely change the shells to /bin/false. However, it won't really increase the security of the system. The * in the password field will prevent anyone from logging in. DO NOT set a password for these users.

If you're interested in securing your system, try HP-UX Bastille. The tool is supported by HP and explains the tradeoffs of implementing security features. It's also supposed to be very educational (I hope it is for you.)

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎11-28-2002 10:11 PM

‎11-28-2002 10:11 PM

Re: /etc/passwd users

Hi,

If you take a look at the CIS HP-UX Level-1 Benchmark 1.03 from http://www.cisecurity.org (a well accredited consortium of renown members in the security arena), you will note that there are certain system accounts which you can actually disable out of the list you provided above. According to CIS, Level-I Benchmark settings/actions are unlikely to cause an interruption of service to the operating system or the applications that run on it.

Extracted here for your convenience:
=======================================
9 User Accounts and Environment

9.1 Purge or lock system accounts

Action:

for user in uucp nuucp adm daemon bin lp nobody noaccess hpdb useradm
do /usr/lbin/modprpw -w "*" "$user"
/usr/sbin/usermod ???s /bin/false "$user"
done

Discussion:

Access to the uucp and nuucp accounts is only needed when the deprecated Unix to
Unix Copy (UUCP) service is in use. The other listed accounts should never require
direct access. The above action locks the passwords to these accounts (on systems
converted to Trusted Mode only) and sets the login shell to /bin/false.
=======================================

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
Tim Maletic
Valued Contributor

‎12-02-2002 06:30 AM

‎12-02-2002 06:30 AM

Re: /etc/passwd users

There is some value in both locking the account (with "*" in the password field) and setting the shell to an invalid shell (such as /bin/false), since some applications don't need a real shell, and some applications don't authenticate via /etc/passwd.

For example, I've seen systems with /bin/false in /etc/shells (don't ask me why), in which case disabled accounts could use ftp. And if an attacker could drop a .rhosts file in, say, /var/adm, then they could rlogin as adm with the above /etc/passwd config.

-Tim
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.