Subject: Re: Can't find 'adduser' on 1.3(i386)
To: Simon J. Gerraty <sjg@quick.com.au>
From: The Man <scott@lackluster.net>
List: port-i386
Date: 01/04/1998 19:58:12 
On Mon, Jan 05, 1998 at 02:31:33PM +1100, Simon J. Gerraty wrote:
> 
> Running vipw a few times is easier than learning anything
> and generic tools are probably the worst.  I've never botherd putting

...and you learn the standard way of doing things, rather than learning bad
habits such as ``pico /etc/passwd.''

> For example, 
> 
> # cat /home/ext/.adduserrc
> Shell=/bin/ksh
> Group=ext
> uid=9000
> Passwd=11tRy17gmFhBI
> PW_AGE=immediate
> list=yes
> 

I like this idea, but don't like the idea of having a default password for all 
accounts.  I suppose it's OK when having to add over ten users at a time, but
I would use a different default every time I had to perform such a task.
For example, use f00B@r1 for a batch, and change it the next time I had to add
a batch of users.  Repetition and passwords do not mix well when it comes to
security.

And my next problem with this is the fact that the default password is stored
in a file on the filesystem.  There have been enough problems with being able
to read files without permission to prevent me to ever consider such a thing.
Yes, if someone breaks in and finds a way to become root or get a uid of 0,
you'll have other problems to worry about.  I guarantee you that if I were
in such a situation and found a default password, I'd be using the hell out of
it.  Yes, it's encrypted, but we all know what Crack is.  And default
passwords usually aren't the most secure in the first place.

> Defaults:
>         Group=ext
>         Homes=/home/ext
>         Shell=/bin/ksh
>         Passwd=11tRy17gmFhBI
>         Initial uid=9000

Ack, you're printing that to a terminal?  I hope you're not using X.  And yes, 
I'm paranoid.  :)

> adds the user (and if /home/ext/default exists, its content would have been
> replicated into the new dir) and sets the passwd to expire immediately.

That's what /etc/skel, /usr/share/skel, et al are for.  :)

Hm, this is veering off into non-specific Unix territory...

Cheers,
Scott

-- 
Scott Smith
scott@lackluster.net

Mail received via UUCP, read with Mutt, and composed with vi on NetBSD-1.2G.