On Thu, Dec 10, 2020 at 03:35:50PM +0000, Tixy wrote: > Why would you execute sudo or su on the target machine to change to one > of these unneeded users, presumably you can do whatever mischief is > your aim by using the account you are executing su or sudo from. Or by > changing to another valid user on that machine if you are a legitimate > user and were trying to cover your tracks.
If you have full sudo access, you're *already* at the top of the food chain. You can create a new user and switch to it. You can delete users. You can lock and unlock users. You can do literally everthing, because you're the superuser. Putting additional entries in the passwd file is not a security issue, unless those entries have guessable passwords, or some other means of logging in as them from a remote system, or from a different non-root user account. Additional entries in passwd are useful for *lots* of things, such as running a service as a UID that has no other access. They are not a reduction in security. Properly used, they can increase security. In the context of the original question, having a consistent set of local user accounts (name/UID pairs) across all of your systems in an NFS environment is useful for making sure all files have consistent ownership. Even on the systems where, say, charlie will never log in, seeing that the files in /home/charlie are owned by user "charlie" is helpful.
