Subject: Re: Login names and /etc/security
To: None <tech-userlevel@NetBSD.org>
From: Terry Moore <tmm@mcci.com>
List: tech-userlevel
Date: 11/04/2004 08:56:05
At 05:08 PM 11/2/2004 +0200, Mike M. Volokhov wrote:
>And yet another question - logins names, which uses the numbers only
>(for example, "0", "12345678"). It can be accepted by many systems
>without any problems, but looks strange enough like as "dashed" ones.
>
>Any comments please?
It seems like a bad idea for administrators (and therefore a good idea for
hackers) to set up user names that looked like valid UID numbers. This
could cause great confusion, both in interpreting "ls -l" listings and
within programs that take user names as parameters.
For example, chown accepts an owner ID:
The owner may be either a numeric user ID or a user name. If a user name
is also a numeric user ID, the operand is used as a user name. The group
may be either a numeric group ID or a group name. If a group name is al-
so a numeric group ID, the operand is used as a group name.
So if a unsuspecting admin, or an adversary, creates a numeric user name
that is the same as a numeric user ID, but is different, unusual things
will happen.
In many sites, there are multiple administrators with various levels of
expertise; /etc/security not only checks for breakins, but also is useful
for tracking deviations from site-wide policy.
It is therefore a valid thing for /etc/security to check for this kind of
thing. If you want to take this out, please create a site-specific option
which admins must explicitly turn on in /etc/security.conf ....
Best regards,
--Terry