Stephen Frost <[EMAIL PROTECTED]> writes: > * Thomas Bushnell BSG ([EMAIL PROTECTED]) wrote: >> Stephen Frost <[EMAIL PROTECTED]> writes: >> >> > Leaving around unused accounts is plainly wrong too, and also a >> > potential security risk. >> >> Can you outline the risk please? > > Sure. Locking accounts isn't necessairly perfect.
What is an account in the password file? It's nothing more than the ability to log in under a given UID. How is a starred password anything other than perfect locking of the account? > Checking that an account is locked requires going through more of > the authentication system than just checking if the account exists. > What happens if an admin gives a password to a system account and > then forgets about the account after purging the software it's > associated with? The same thing that happens if he creates a setuid program using that UID. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
