We removed the following default accounts in Solaris 10: lp, smmsp, www,
uucp, nuccp, however the files owned by these accounts still exist. I
would like to delete these files, but the administrator is not very
familiar with Solaris and doesn't know if the O/S needs the associated
files or not. Does anyone know if those files are still in use even though
the file's owner accounts have been deleted?
It is a good idea to remove (or disable) some accounts on certain backroom
servers. At our site we delete these users
USERS="smtp nuucp listen nobody4"
And we disable (shell is /bin/true) + lock (shadow entry is *LK*) these
users (but watch out for a user requiring cron).
USERS="daemon bin sys adm lp uucp nuucp listen nobody noaccess nobody4 smtp"
There are lots of packages we remove (and their contents go with them). As
for the files associated with the users you mention. I suspect there are
some problems. You should look at your package inventory. Eg.
[3:45pm boss] grep ' smmsp ' /var/sadm/install/contents
/usr/lib/sendmail f none 2555 root smmsp 1020552 31064 1158775758 SUNWsndmu
/var/spool/clientmqueue d none 0770 smmsp smmsp SUNWsndmr
And you should be thinking more about removing packages, not the files
within packages. E.g.,
# [12:52pm ist] pkginfo | grep -i uucp
# system SUNWbnur Networking UUCP Utilities, (Root)
# system SUNWbnuu Networking UUCP Utilities, (Usr)
Remove those packages and the files they contain will go. On the userid's
you mention.
--- disclaimer: This is my best guest, don't sue me for work required to
restore your system.
1) lp is required for print services you offer and print services you use.
If you're not using any then you can get rid of the associated packages.
2) smmsp is required for sendmail queue, that might be very dangerous to
remove.
3) www ... what packages is that associated with?
4) I certainly recommend you get rid of packages owned by users uucp and
nuucp -- that's ancient history stuff that's seldom required.
We have some work to test, harden, and monitor Solaris 10 systems given an
established policy (along the lines of what we did for earlier versions
described here http://ist.uwaterloo.ca/security/howto/2000-09-19/) which we
could share. We have not got the documentation in any order but the many
scriptlets that address issues like the above are in good shape. And we
have working policies that we enforce on our servers. If anyone is
interested -- contact me off list.
I am, Reg Quinton <[EMAIL PROTECTED]>
Senior Technologist, Security
Information Systems and Technology
University of Waterloo, 200 University Ave W
Waterloo, Ontario N2L 3G1 Canada
+1 519 888-4567x6070
