On Tuesday, 11/03/2009 at 10:52 EST, Jack Woehr <j...@well.com> wrote: > Alan Altmark wrote: > > But to implement the policy, *someone* has to be the > > arbiter of "necessary", and I don't think it should be the system that's > > being audited! > In the specific instance, most estimable Alan, your general guidance is > wrong. > > Marcy was asking for help in deleting accounts she did not know the > purpose of, > /and/ the system /is/ the arbiter in that these system accounts own > system files > which are orphaned if the system accounts are deleted.
Ah, semantics. :-) People arbitrate (decide). Machines obey. The mere presence of a user account does not justify its existence. The fact that it can't be used to login does not mitigate the requirement for justification, as the "best" Bad Things can and do masquerade as Good Things. In a Unix system, having a process to ensure that you *don't* orphan files when deleting an account would seem to be de riguer. If any file exists to which said uid has privileges, then why would you delete the account until you clean up the files? I'm not a Unix sysadmin, but I presume that there are admin packages that handle this sort of thing for you. When you discover that the admin tools is about to delete /sys/bin/important, you might think twice about it and instead put that user on the "necessary" list. The one constant is change and so I suggest that no auditor or sysadmin will know all "necessary" and "not necessary" accounts, and that they must work together to turn the unknown into the known. > 2. a user account re-using the uid number for the vanished ftp > account is accidentally created Hey, if you're going to introduce sloppy sysadmins into the mix and you don't have or use any and all capabilities to prevent or detect accidents, then all bets are off. Same thing on z/VM: If you don't remove the objects created by or for a user, and scrub all of your authorization lists when you delete a virtual machine, you shouldn't ever reuse a z/VM user ID. Example: SFS directories. Alan Altmark z/VM Development IBM Endicott ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390