Adam Spickler <[EMAIL PROTECTED]>: > Hello, > In /etc/passwd verify that they are actually loginable. Some > deamons/programs, etc need an account to run, but don't actually > need to login. This would be for security reasons, so you don't run > it as root, thus, making it harder for someone to exploit your > server and gain root access. > > -Adam > > On Mon, Oct 14, 2002 at 09:47:42AM -0400, R. Bradley Tilley wrote: > > Hello, > > > > I am experimenting with a Debian system to be used as a firewall/gateway. I > > am > > using Debian 3.0 with the 2.4.18 kernel. I did a basic install selecting > > the > > Unix server task. Just wondering why there are so many accounts with shell > > access installed by default? > > > > games, irc, news, gnats, lp, uucp, operator, backup, etc. > > > > For security reasons, I would like to remove these accounts, but I don't > > understand how the system uses them, or if it uses them at all. Can someone > > explain this? Also, what are the bare minimum accounts? > > > > Thank you, > > Brad ...
Also, we use the login name <-> uid conversion present in /etc/passwd and the ability to control access to files by virtue of using different uid's for different purposes: # egrep '(games|irc|news|gnats|lp|uucp|operator|backup)' passwd games:x:5:100:games:/usr/games:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh operator:x:37:37:Operator:/var:/bin/sh irc:x:39:39:ircd:/var:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh But the shell don't have to be a valid login shell. Setting the shell to /bin/false might help. mysql and sshd do run on my box: # grep false passwd identd:x:100:65534::/var/run/identd:/bin/false telnetd:x:102:102::/usr/lib/telnetd:/bin/false cvs:x:103:103::/home/cvsroot:/bin/false smmsp:x:105:105:Mail Submission Program,,,:/var/lib/sendmail:/bin/false oftpd:x:101:65534::/home/oftpd:/bin/false sshd:x:104:65534::/var/run/sshd:/bin/false mysql:x:106:106:MySQL Server:/var/lib/mysql:/bin/false dictd:x:107:107::/home/dictd:/bin/false And the account should be disabled like in: # egrep '(games|irc|news|gnats|lp|uucp|operator|backup)' shadow games:*:11700:0:99999:7::: lp:*:11700:0:99999:7::: news:*:11700:0:99999:7::: uucp:*:11700:0:99999:7::: backup:*:11700:0:99999:7::: operator:*:11700:0:99999:7::: irc:*:11700:0:99999:7::: gnats:*:11700:0:99999:7::: Regards, /Karl ----------------------------------------------------------------------- Karl Hammar Aspö Data [EMAIL PROTECTED] Lilla Aspö 2340 +46 173 140 57 Networks S-742 94 Östhammar +46 18 26 09 00 Computers Sweden +46 10 270 26 67 Consulting -----------------------------------------------------------------------
