SUMMARY: Safe to disable unused accounts?

From: Jonathan Williams (jonathw@shubertorg.com)
Date: Thu Sep 23 2004 - 14:43:04 EDT

• Next message: Deacy, Michael: "Password shadowing"
• Previous message: Jonathan Williams: "Safe to disable unused accounts?"
• In reply to: Jonathan Williams: "Safe to disable unused accounts?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Wow, nice and fast responses from Ann Majeske and Dr. Blinn.

The short answer is yes, feel free to lock these accounts, but DO NOT REMOVE
THEM.

And for the longer version, I'll paste Ann's response:

"Sure, its OK to lock accounts that will not be logged into,
including the accounts you listed below. There are a
number of ways you can lock them in Enhanced Security
including the administrative lock (setting u_lock vs u_lock@)
and setting the u_pwd field to a bogus value, see "man
prpasswd for description of the fields. I'm not sure I'd
set them as retired (u_retired) as that may do more than
just prevent logins.

Most of these users should not be removed as they are used
by the system for a variety of things, some of which are
UNIX legacy and/or industry standards. Even if you
don't use the functionality there are files out there owned
by these users, so if you create new users with the UIDs
assigned to these users you could be giving those users
unintended access and/or priviledges.

The only ones that I know could be deleted are uucp and
uucpa, as long as you don't use uucp, of course. But there's
still the issue of potentially reassigning the UID to someone
else, so I'm not sure I'd do more than disable these as well."

Thanks so much. :)

Jonathan Williams
Unix Systems Administrator
The Shubert Organization, Inc.

----- Original Message -----
From: "Jonathan Williams" <jonathw@shubertorg.com>
To: <Tru64-UNIX-Managers@ornl.gov>
Sent: Thursday, September 23, 2004 2:00 PM
Subject: Safe to disable unused accounts?

| Hi. I'm running Tru64 5.1b, pk 3 on a variety of ES machines.
|
| I was just wondering if it is OK to disable (ie lock) some of the system
default
| acounts. The accounts in question are:
|
| auth
| bin
| cron
| daemon
| lp
| tcb
| uucp
| uucpa
|
| Apparently these accounts have never ever been accessed, so I would assume
it's
| safe to lock them (maybe even remove then entirely), but just wanted to be
sure.
| TIA
|
| Jonathan Williams
| Unix Systems Administrator
| The Shubert Organization, Inc.
|
|
|

• Next message: Deacy, Michael: "Password shadowing"
• Previous message: Jonathan Williams: "Safe to disable unused accounts?"
• In reply to: Jonathan Williams: "Safe to disable unused accounts?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:50:08 EDT