HPE Community
Operating System - Linux
1830226 Members
1779 Online
109999 Solutions
New Discussion

Unnecessary preinstalled users

 
SOLVED
Go to solution
Bruce Copeland
Trusted Contributor

‎03-30-2004 02:45 AM

‎03-30-2004 02:45 AM

Unnecessary preinstalled users

Red Hat (and Fedora) Linux distributions ship with quite a few preinstalled users (bin, mail, ftp, nobody, etc.) I know what purpose quite a few of these serve, but I don't have a clue about some of the others. Does anyone know if there is a list anywhere that describes each of these users and the consequences of removing them? For obvious security reasons, I'd like to get rid of the unnecessary users.

Bruce
0 Kudos
Reply
9 REPLIES 9
Nicolas Dumeige
Esteemed Contributor

‎03-30-2004 02:52 AM

‎03-30-2004 02:52 AM

Re: Unnecessary preinstalled users

Why don't you just check that those account have /nologin as login shell ?

Therefore, you would not take any risk that a software will need this account and you would save he time needed to check and "clean" those accounts
All different, all Unix
0 Kudos
Reply
Bruce Copeland
Trusted Contributor

‎03-30-2004 05:19 AM

‎03-30-2004 05:19 AM

Re: Unnecessary preinstalled users

Most of them already have /sbin/nologin a their login, but some of them like sync and halt are installed with /sbin/"username". I guess my question is 'Why do some of these come preinstalled with an actual login?'

Bruce
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎03-30-2004 05:46 AM

‎03-30-2004 05:46 AM

Re: Unnecessary preinstalled users

Most of the users are there for very good reasons. The user needs to be there to own binaries, run a daemon and such.

I've found that on these users I can set a password on them without effecting the underlying application.

It is possible for these users to be exploited. Thats why I generally build my systems off line, then take note of what those users are.

I would not delete many of these users as functionality will be effected.

Its better to have the user than not. Lets say i have a user called named. He runs the DNS/BIND daemon. It takes some configuration to make that happen, but if someone exploits DNS/BIND under this scenario they get named priviledges, not root priveledges.

Hope this helps.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Bruce Copeland
Trusted Contributor

‎03-30-2004 07:52 AM

‎03-30-2004 07:52 AM

Re: Unnecessary preinstalled users

Thanks SEP.

I knew that many of these users were associated with daemons and that removing them might break something. I'll see if I can (one at a time) add passwords to some of them. That's easy to do on individual Linux boxes. The server is more problematic, since it rarely gets completely rebooted, and I think a reboot is probably what it takes to fully test a change in user status.

I'm still a little surprised there isn't more organized documentation on these various preinstalled users. Seems like a security hole since most individual Linux users and a fair number of administrators won't have the know-how or patience to investigate this issue.

Bruce
0 Kudos
Reply
Olivier Drouin
Trusted Contributor

‎03-30-2004 08:10 AM

‎03-30-2004 08:10 AM

Re: Unnecessary preinstalled users

If they have /sbin/nologin (or /bin/false) shell you shouldnt worry about them, they will not be exploited. If they have other programs as shell just keep these programs up to date.

I agreee with you tough that it should be better documented since this is very distribution specific.
0 Kudos
Reply
Stuart Browne
Honored Contributor

‎03-30-2004 10:59 AM

‎03-30-2004 10:59 AM

Solution

Re: Unnecessary preinstalled users

By default, these users will have a /etc/shadow password entry of '!!'. Simply put, someone can try hack that account (using password/dictionary attacks) and never break it.

'!!' is shadow for "Never will a password match this!". There is no possible string that will encrypt to match it.

Apart from the fact that they have '/sbin/nologin' as their shell, someone would have had to already hacked into the system in order to utilize these accounts.

Putting a password on these accounts actually reduces their protection.
One long-haired git at your service...
Reply
Bruce Copeland
Trusted Contributor

‎03-30-2004 03:51 PM

‎03-30-2004 03:51 PM

Re: Unnecessary preinstalled users

Thanks Stuart. That clears things up AND saves me some work.

Bruce
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎03-30-2004 05:17 PM

‎03-30-2004 05:17 PM

Re: Unnecessary preinstalled users

What Stuart points out was new to me. My advice was based on Linux 7.3 experience, where i had a few default users hacked.

Point totals do not tell the whole Story. Stuart is the most knowledgeable person I've run into in this forum.

If Stuart ever disagrees with me, go with him first.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Manuel Wolfshant
Trusted Contributor

‎03-30-2004 07:39 PM

‎03-30-2004 07:39 PM

Re: Unnecessary preinstalled users

On workstations, I have always deleted some of the default users, such as news/ftp/gopher and similar. These are users used by some specific servers and whenever I knew those servers will never run on a particular machine, I deleted that specific user(s). Never had problems because those users dissapeared during the last 4 years. A hint in choosing the unnecessary users: their home directory, as specified by /etc/passwd, does not actually exist. It is created and populated with files only when the server software is installed.

As a sidenote, I am still curious what is the "operator" user meant for. I've seen several machines hacked, where "operator" was used as a backdoor for root. OTOH, never seen any software making use of this specific user.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.