|
|
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
In Unix systems, user IDs and group IDs of processes and/or files are used, inter alia, to establish the originators of actions and to allocate rights. Therefore, assignment of such IDs should be handled very carefully.
Each log-in name, each user ID (UID) and each group ID (GID) must be unique. Even after cancellation of a user or a group, the log-in name and the UID or GID should, for a certain period of time, not be re-allocated.
Every user must be a member of at least one group. Every GID appearing in the /etc/passwd file must be defined in the /etc/group file.
Every group should comprise only those users who are absolutely required. This is particularly important in the case of system groups (such as root, sys, bin, adm, news, uucp, nuucp or daemon).
Log-ins with the UID 0 ( superuser) may, apart from the system administrator root, be granted only for administrative log-ins according to the previously established rules (cf. S 2.33 Division of administrator roles under Unix).
It is good policy to lay down name conventions for log-in names and UIDs/GIDs.
The files /etc/passwd and /etc/group should not be processed with editors, as errors can greatly impair the security of the system. Only the appropriate administration tools should be used, although these are specific to certain systems.
Additional controls:
| © Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
last update: Januar 2000 |