tech-pkg: Unnecessary standard accounts (Was: Root, toor accounts.)

Subject: Unnecessary standard accounts (Was: Root, toor accounts.)
To: Frederick Bruckman <fb@enteract.com>
From: David Brownlee <abs@anim.dreamworks.com>
List: tech-pkg
Date: 03/14/1999 14:13:07
On Sun, 14 Mar 1999, Marc Baudoin wrote:

> - The daemon user only owns the /var/msgs/bounds file:
>   -rw-rw-r--  1 daemon  staff  4 Mar 14 03:16 bounds
>   Is it useful to have a user dedicated to this particular file?
>   Can't it be owned by another user?
>
	Daemon may also be used by lpd. Of all the uids this is one
	I'd really like to stay

> - The news user doesn't own any file.  Anyway, it's mandatory to
>   have a news user when installing INN.  My question is:  should
>   the news user be distributed in the standard passwd file
>   whereas INN is not in the standard NetBSD distribution?  Then
>   why not distribute more users such as ftp, pop or postfix, just
>   in case?  I'd rather have a range of uids reserved for this
>   kind of things and the range clearly indicated in the passwd(4)
>   man page or somewhere else in the NetBSD documentation.
>   pkg_add could also make good use of this if it needs to create
>   a dedicated user for a particular program.
>
	Most of the packages seem to use addnerd to create accounts
	as needed. Maybe some of the package people could comment?

> - The ingres and falken user doesn't own any file.
>
	ingres is in the 'news' camp, but even less likely to be needed :)
	falken has a style of its own :)

> Maybe the great spring housework of /etc/passwd could go a little
> further...
>
	Its a possibility!


On Sun, 14 Mar 1999, Frederick Bruckman wrote:

> On Sun, 14 Mar 1999, Marc Baudoin wrote:
> 
> > The operator user does also trigger a warning in /etc/security
> > after a clean install:
> > 
> > Login operator is off but still has a valid shell (/bin/csh)
> > 
> > As this user doesn't own a single file in a full installation, I
> > wonder if it's useful...
> 
> 'shutdown' is in group operator, and executable only by root and
> operator. Many of the devices are also in the operator group by
> default. In a typical organization, you want numerous people to have
> operator priviledge, so that they can perform a controlled shutdown
> when necessary, but not so many people to have root access. The
> alternative of allowing anyone to perform a shutdown is even less
> attractive. Even on my desktop computers, I always give the operator a
> password, and shell, just in case I get locked out.  Of course, I
> could always cycle power and Ctl-\ during the fsck, but that's nasty.

	That is the operator group, as opposed to the operator user.

	As an added bonus the operator user is not in the operator group,
	so cannot run shutdown even if you give it a valid password.
	Aaaaah...

	My inclination wold be to:
	a) Put operator in the operator group. This at least opens the
	   possibility of it being useful as an operator.
	b) Switch its default shell to /sbin/nologin to quiet security.

		David/absolute

	"Shall I be tempted by the devil thus?"
	"Yes, if the devil tempt you to do good..."