HPE Community
Operating System - HP-UX
1847833 Members
3924 Online
104021 Solutions
New Discussion

security policies for system accounts adm, lp, bin etc

 
SOLVED
Go to solution
Dave Chamberlin
Trusted Contributor

‎08-31-2004 07:28 AM

‎08-31-2004 07:28 AM

security policies for system accounts adm, lp, bin etc

I have recently converted my HPUX 11.0 system to trusted. Several system accounts - adm, sys, bin, lp and others are now deactivated. When I try to reactivate - SAM indicates that they have a password of "*", which is why they are deactivated. Do I have to manage passwords for these accounts? Does it matter if they are deactivated? What is a typical was to manage this type of account (from a security perspective)? thanks
0 Kudos
Reply
6 REPLIES 6
Jeff_Traigle
Honored Contributor

‎08-31-2004 07:34 AM

‎08-31-2004 07:34 AM

Solution

Re: security policies for system accounts adm, lp, bin etc

Those are always locked even on an unTrusted System (or should be anyway). There's no reason to put passwords on them. Some of the don't even have login shells defined. Leave them as is and don't worry about them.
--
Jeff Traigle
Reply
Sridhar Bhaskarla
Honored Contributor

‎08-31-2004 07:36 AM

‎08-31-2004 07:36 AM

Re: security policies for system accounts adm, lp, bin etc

Dave,

I would worry about setting up passwords or activating those accounts. Ideally, these accounts should be in deactivated state.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Reply
Sridhar Bhaskarla
Honored Contributor

‎08-31-2004 07:36 AM

‎08-31-2004 07:36 AM

Re: security policies for system accounts adm, lp, bin etc

Dave,

Oops.. I meant "I wouldn't worry".

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Rick Garland
Honored Contributor

‎08-31-2004 07:36 AM

‎08-31-2004 07:36 AM

Re: security policies for system accounts adm, lp, bin etc

These accounts you can leave alone.

No need to activbate these accts, from a security point these will be more accounts that have access to the system that you would nned to be aware of. Mostly these accounts exist for ownerships (e.g., lp and printing)
Reply
Andrew Cowan
Honored Contributor

‎08-31-2004 06:48 PM

‎08-31-2004 06:48 PM

Re: security policies for system accounts adm, lp, bin etc

Its always a good idea to give these accounts a default shell of "/bin/false", or even your own exe that records the attempted use, then kicks them out. This extra step prevents someone from "su'ing", or getting access via a NULL-shell attack.
The only exception to this is "adm" when process-accounting is activated, as it requires a valid shell to execute some of the admin jobs via cron.
0 Kudos
Reply
Indira Aramandla
Honored Contributor

‎08-31-2004 06:56 PM

‎08-31-2004 06:56 PM

Re: security policies for system accounts adm, lp, bin etc

Hi,

adm - owns accounting files
bin - own executable files for most user commands
daemon - executes system server processes. It is often used for network utilities bin and
sys - are used for system files.
lp - owns printing. It is used for the line printer system ftp is used for ftp obviously.
nobody - used in NFS
www & webadmin - used for www processes

No one can login as these users, as they are disabled. You can relave them as they are.

IA
Never give up, Keep Trying
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.