Subject: Re: Login names and /etc/security
To: None <>
From: Terry Moore <>
List: tech-userlevel
Date: 11/04/2004 08:56:05
At 05:08 PM 11/2/2004 +0200, Mike M. Volokhov wrote:
>And yet another question - logins names, which uses the numbers only
>(for example, "0", "12345678"). It can be accepted by many systems
>without any problems, but looks strange enough like as "dashed" ones.
>Any comments please?

It seems like a bad idea for administrators (and therefore a good idea for 
hackers) to set up user names that looked like valid UID numbers.  This 
could cause great confusion, both in interpreting "ls -l" listings and 
within programs that take user names as parameters.

For example, chown accepts an owner ID:

The owner may be either a numeric user ID or a user name.  If a user name
is also a numeric user ID, the operand is used as a user name.  The group
may be either a numeric group ID or a group name.  If a group name is al-
so a numeric group ID, the operand is used as a group name.

So if a unsuspecting admin, or an adversary, creates a numeric user name 
that is the same as a numeric user ID, but is different, unusual things 
will happen.

In many sites, there are multiple administrators with various levels of 
expertise; /etc/security not only checks for breakins, but also is useful 
for tracking deviations from site-wide policy.

It is therefore a valid thing for /etc/security to check for this kind of 
thing.  If you want to take this out, please create a site-specific option 
which admins must explicitly turn on in /etc/security.conf ....

Best regards,