Alan Altmark wrote:
the "best" Bad Things can and do masquerade as Good Things.
Hey, I thought we were going to avoid politics! :)
In a Unix system, having a process to ensure that you *don't* orphan files
when deleting an account would seem to be de riguer.
Empirically:
* 733T Unix weenies are disinclined to delete system accounts
* Users tend to have their files in two places:
o /home/~username -- solution, delete their home dir
o /some/wellknown/shared/work/dir -- chown their files
If any file exists
to which said uid has privileges, then why would you delete the account
until you clean up the files?
You wouldn't.
I'm not a Unix sysadmin, but I presume that
there are admin packages that handle this sort of thing for you. When you
discover that the admin tools is about to delete /sys/bin/important,
Nothing in /bin /usr/bin /sbin or /usr/sbin is owned by a non-system
account on any sane Unix installation.
The one constant is change and so I suggest that no auditor or sysadmin
will know all "necessary" and "not necessary" accounts, and that they must
work together to turn the unknown into the known.
The response to that is:
* The default /system/ accounts on a modern Linux system are not
inherently a security exposure
* Don't delete /system/ accounts because it's a lot of work and it
does /nothing/ for you
* Deleting the /files/ on the other hand, e.g., in /usr/games, can
save space at least.
*
2. a user account re-using the uid number for the vanished ftp
account is accidentally created
Hey, if you're going to introduce sloppy sysadmins into the mix
The questioner didn't know to look in the control files for the
numerical limits on uid's.
Just one more reason not to mess with system defaults without a genuine
business case.
Same thing on z/VM: If you don't remove the objects created by or for a
user, and scrub all of your authorization lists when you delete a virtual
machine, you shouldn't ever reuse a z/VM user ID. Example: SFS
directories.
Absotively. The questioner came to the task without that insight as it
pertains to Unix.
But the overarching insight is that the hapless questioner is being
tasked to hop over
cracks in the pavement in fear that otherwise someone's mother's back
will get broken.
Wasted human effort. Pfaugh.
--
Jack J. Woehr # «'I know what "it" means well enough, when I find
http://www.well.com/~jax # a thing,' said the Duck: 'it's generally a frog or
http://www.softwoehr.com # a worm.'» - Lewis Carroll, _Alice in Wonderland_
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
