On Tue, 11 Dec 2001, [iso-8859-1] Marcel Fréchette wrote: > - I see several (most) system accounts have no command (shell) assigned in > /etc/passwd, > or have /bin/false. I have read this means they are not supposed to log > in.
No, if it has no shell, it will default to /bin/sh. But, yes, if it is /bin/false or some/nonexistent-shell then it won't let you log in. > But then, how are they used? Programs use the setuid(2) function. For example, a program may start as root, but quickly change to another user. Or cron runs the program as the user. Or su(1) or other tools can run a command as another user. su nobody -c 'touch /tmp/nobody-test.$$' ls -l /tmp/nobody-test.* (This is a bad example, because I really believe files shouldn't be owned by "nobody" -- that defeats the purpose.) > - Consider the /var/named directory. On my system it contains 3 files, all > owned > by system account 'named' with permissions rw-r--r-- (644). If I want to > edit > file named.local, say, I can su root and edit the file from there or from > root, > su named, because then the password is not asked for. Is there a better > way? named (the program) only need to be able to write to certain files and directories (using the named user). So some of yoru files can be owned by different users. A better way? Maybe create another user account like "dns-data" and have it own the files that don't need to be modified by named. > - From what you tell me below about the shutdown account, if I assign it the > command /sbin/shutdown in /etc/passwd, and then a password, then I could > su or login to it from a regular user account to shutdown the machine. No, /sbin/shutdown needs to be run by root; you would have to change the UID to zero or make it setuid (not advised) or use some setuid wrapper script. > Is this the general procedure? I don't think so. > - How do I go about running a privilege-less program with nobody? See su(1) example above; you could also use nobody's crontab or xinetd (or inetd). For example, I use the nobody user to stream audio via inetd. > - How do you go about assigning resources to system accounts? I have seen > ulimit, but that's a shell built-in. Maybe with PAM via pam_limits and /etc/security/limits.conf. > - I tried usermod -U on a system account I don't use (postgres), and the > second > exclamation mark in /etc/shadow/ went away. But usermod -L did not bring > it back. Probably because it thinks it is already locked. > - I have seen (too) short hints on the net about deleting system accounts > that I do not use. For one of them (can't recall which), there was a > side-effect, that is, some cron script had to be edited after the account > was removed. Yes, be sure to double-check cron scripts, etc. Also, if you delete some user, then maybe it will break some future software installation or upgrade. > Since a full install of Red Hat Deluxe 7.1 sets up 30 system accounts, > assigned to specific UIDs below 100, > does detailed documentation about them exist, describing the "mission" of > each account, how it's used, which files/directories it typically owns, I am guessing no detailed documentation exists. Mayeb some vendors/distributions have a document or guidelines for their particular setups. > how to safely delete/recreate it, etc? Safely delete by carefully searching filesystem and software for the use by the user. Then use userdel, vipw or other tools. Personally, I wouldn't worry about it too much. (Please remember to clip out old signatures, mailing list info, and other unnecessary noise when replying.) Jeremy C. Reed http://bsd.reedmedia.net/ -- BSD news and resources http://www.isp-faq.com/ -- find answers to your questions _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
