date:20091103


Leslie Turriff wrote:

On Tuesday 03 November 2009 19:42:12 John Summerfield wrote:




I think removal of accounts, as opposed to disabling them, is not
something to undertake lightly. It might be that data there could be
required for legal purposes - recently in a public company in Australia
was reported to have embezzled a few million dollars. Enough that, when
the money was found, the company's share price doubled. Probably, the
user's files reflected her activities. Illegal activites aside, there
may be notes, saved emails and the like stored there and nowhere else
that may reflect agreements made and which someone else might need to
know about after they've left.


All of your comments are correct, and all of the installations where I 
have
worked have checklists and procedures for handling the removal of such
accounts, which include the identification and either removal or reassignment
of related files before the account is removed; but these do not cover the
case of an unidentified account which is owned by no identifiable entity and
has no apparent use except to provide a possible weakness in the system's


The accounts in question and their purposes have been identified.


security merely by existing.  (One may believe that since it is a "nologin"
account, etc., that there is no chance that in the future some hacker might
find a way to exploit its existence, but history has shown that such beliefs
are not safe ones.)  The policy of most enterprises that unused accounts


If someone can change a nologin account to a login account, you're
already screwed. And, that someone can also create new accounts.



should not exist on the system unless they can be justified as serving a
business purpose is valid for accounts such as games as well as for accounts
defined by the system administrators.

If the only purpose for the games account is to collect high-score 
numbers
for accounts where games are used, it has no purpose on a business server,
and it should not be included in such a distribution.  It is hard for me to
believe that an account with such a minimal purpose cannot be excluded
without causing a cascade of problems in the rest of the system, and it seems
to me that the distributors of SLES and RHEL should have excluded them long
ago.


I think that the suggestion of seeking assurance from the vendor that
the removal of these accounts poses no problem is sound. I would also
recommend asking the vendor that no unnecessary system accounts be
created. Any local action is but a crudish hack, and the problem will
recur, either immediately as Marcy found out, or later when installing
from vendor media, and nor will these hacks solve the matter for other
users.

I also think it sound to bring these accounts to the auditors' attention
(since in this case they seem not to have noticed yet) and discussing
with them what should be done, what the alternatives and risks are.

It seems to me most here have a problem with the name. Here are some
other names I have on my RHEL-clone:
news
operator
gopher
rpm
gdm
sabayon
tomcat
shutdown
halt

Those last two actually have a login shell that doesn't immediately log
you off, instead halt would shut down the system. Some of the others
also have a working login shell.

If the games account represents a security problem, then so do those.


--

Cheers
John

-- spambait
1...@coco.merseine.nu  z1...@coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?


Edmund R. MacKenty wrote:

On Tuesday 03 November 2009 11:16, Jack Woehr wrote:

Edmund R. MacKenty wrote:

.  I don't think the UID/GID can be re-used, as
your vendor controls their assignments for system accounts and useradd(8)
will not assign UID/GID values below 500

That number-below-which is controlled by the contents of /etc/login.defs
I believe, which is an editable text file, not a hard limit.


Correct.  But in order for the scenario you described to occur, one of the
following must happen:

1) A superuser edits /etc/login.defs and sets SYSTEM_USER_MIN to zero or some
other very low value, or

2) A superuser runs "useradd -r -u 40 cracker" and gives that account to a
plain user.


I don't know what sparked that comment, but in case you think system
accounts have special privileges, they do not, except for
UID=0.Essentially, system accounts are not user accounts, and new
accounts are user accounts by default.

The system can be configured to give special access to specific
resources through use of UIDs and GIDs- members of the dialout group on
a system I maintain can use serial ports because they're owned by group
dialout and the group permissions allow that,but that applies equally
whether a process is a daemon process with a system account, or some
user. Similarly, sudo can be configured to give some accounts or groups
special privilege (typically, the ability to run stuff as root), but
again, its behaviour is the same whether the process using it's a system
daemon or an ordinary user. In fact, I use it to allow Apache to modify
firewall rules, and I use it to allow administrator users to do their stuff.



--

Cheers
John

-- spambait
1...@coco.merseine.nu  z1...@coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?


Edmund R. MacKenty wrote:

On Tuesday 03 November 2009 11:48, Marcy Cortes wrote:

No one has actually answered Paul's question about why it has to exist.  I'm
curious about that too for my own edification.  Just because its always
been there and things *might* expect it isn't a very good reason in my
opinion.


I'll take a swat at that one:

It doesn't *have* to exist, but some packages will attempt to install files
owned by "games".  That's OK, you'll end up with some files owned by UID 12.


More likely they will be owned by root.




--

Cheers
John

-- spambait
1...@coco.merseine.nu  z1...@coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?


Jack Woehr wrote:

Alan Altmark wrote:

Marcy's question wasn't unreasonable and neither is the policy to remove
unnecessary account ...
 But to implement the policy, *someone* has to be the
arbiter of "necessary", and I don't think it should be the system that's
being audited!

In the specific instance, most estimable Alan, your general guidance is
wrong.

Marcy was asking for help in deleting accounts she did not know the
purpose of,
/and/ the system /is/ the arbiter in that these system accounts own
system files
which are orphaned if the system accounts are deleted.

In a worst-case scenario (that's what security planning is about, right?)

  1. ftp system files are orphaned by deleting the account
  2. a user account re-using the uid number for the vanished ftp
 account is accidentally created
  3. Joe User gets control of FTP.


A user account will not be created with a defunct system account's UID.
What is more likely is that a new user account might get the UID of a
removed user account and so win some orphaned files.

I don't know whether it's defined behaviour, but on RHL and successors,
if I add a new user account (as I do) in kickstart with a specific UID
(as I do), then subsequent new accounts get ever-increasing UIDs.

Given that I remember when OS/VS and VSAM were new, and how
mind-bogglingly large VSAM files could be (4 Gbytes for those less
senior), I will not assume UIDs will never wrap again.


--

Cheers
John

-- spambait
1...@coco.merseine.nu  z1...@coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?

2009-11-03 Thread Rodriguez-Bell, Ted

Spake the keyboard of Marcy Cortes:
> I keep getting rid of this userid /etc/passwd, and something puts it back.
> SLES 10.
> How do I make it stop doing that?
> Also uucp and ftp.
>
> Bad bad bad.

The technical answer to this I think is that those IDs come in the
filesystem package; at least /usr/games does.  Unfortunately that gets
updated frequently, and /usr/games and the games ID thus crawl back
in every time.

The logical solution is for Audit to be reasonable.  That isn't a
promising avenue of approach.

The easy technical hack is to do a "userdel -r games" after
every update.

A more process-oriented solution is to update the security plan to say
these things will exist in because the vendor et cetera et cetera.

A nice solution would be if SLES didn't install these users.  I'm not
sure why they decided to create them and then lock them down but it's
defensible; whether it's right or not I don't think it's changing.

A perfect-world solution is to rewrite Linux package management so it
adds patches like Solaris does.  That way the package only gets
installed once (everything else is just a change to the package) and
the userids stay deleted.  Hey:  we have the source!  (It is admitted
that this may be perfect only for this particular problem.)

One could also do nothing and try to find another position before the
next audit...

Ted Rodriguez-Bell
Enterprise Virtualization - z/VM and z/Linux
te...@wellsfargo.com, 415-243-6291


--
Company policy requires:  This message may contain confidential and/or 
privileged information.  If you are not the addressee or authorized to receive 
this for the addressee, you must not use, copy, disclose, or take any action 
based on this message or any information herein.  If you have received this 
message in error, please advise the sender immediately by reply e-mail and 
delete this message.  Thank you for your cooperation.

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: TCPDUMP


Ron Wells wrote:

Not recv'ing / seeing packets being sent from Linux box..only see them
coming inbound??

Where can I start looking
Going through VSWITCH where OSA-Gig card is set
z/VM5.4
SLES 10 SP2
 Linux agfzxt02 2.6.16.60-0.42.4-default #1 SMP Fri Aug 14 14:33:26 UTC
2009 s390x s390x s390x GNU/Linux


tcpdump command:
tcpdump -p -i eth0 -s 0 -vv -w /root/appwork01.lcap "src port not 22 or
dst port not 22"


When people start combining AND and NOT I have to think, and I don't
like thinking.  But I wonder whether you mean and rather than or.
I'd use
port not 22
Something like this:
tcpdump  -i eth0 -A -s host terry and not port 22

which doesn't trace ssh activity.





--

Cheers
John

-- spambait
1...@coco.merseine.nu  z1...@coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: SAR -v command values

2009-11-03 Thread Brad Hinson


Hi Rick,

dentunusd shows how many unused directory entries (dentries) you have in
the kernel's memory cache.  Dentries are stored on disk, and contain
information about a specific directory.  They're cached in memory for
faster access as you change directories.  For a rough example, try
'mkidr /tmp/test; vi /tmp/test'.

Here's an article on managing this value.  I'm sure there are many like
it, but this is just one approach:

http://rackerhacker.com/2008/12/03/reducing-inode-and-dentry-caches-to-keep-oom-killer-at-bay/

-Brad

Rick Truett wrote:

Hello, I am looking for an explanation of the value returned in the
dentunusd field from the sar -v command.  I have values in teh millions
and would like to understand why the value is so high.

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or
visit
http://www.marist.edu/htbin/wlvindex?LINUX-390


--
Brad Hinson 
Sr. Support Engineer Lead, System z
Red Hat, Inc.
(919) 754-4198
www.redhat.com/z

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: TCPDUMP

2009-11-03 Thread Ron Wells

May have deleted any replies...thought I'd try again..

- Forwarded by Ron Wells/AGFS/AGFin on 11/03/2009 03:55 PM -

From:
Ron Wells/AGFS/AGFin
To:
Linux on 390 Port 
Date:
11/03/2009 01:27 PM
Subject:
Re:TCPDUMP


Not recv'ing / seeing packets being sent from Linux box..only see them
coming inbound??

Where can I start looking
Going through VSWITCH where OSA-Gig card is set
z/VM5.4
SLES 10 SP2
 Linux agfzxt02 2.6.16.60-0.42.4-default #1 SMP Fri Aug 14 14:33:26 UTC
2009 s390x s390x s390x GNU/Linux


tcpdump command:
tcpdump -p -i eth0 -s 0 -vv -w /root/appwork01.lcap "src port not 22 or
dst port not 22"

Ethereal screen shot (Linux image IP is 10.239.53.217):

Hardware conf:
STARTMODE='auto'
MODULE='qeth'
MODULE_OPTIONS=''
MODULE_UNLOAD='yes'
SCRIPTUP='hwup-ccw'
SCRIPTUP_ccw='hwup-ccw'
SCRIPTUP_ccwgroup='hwup-qeth'
SCRIPTDOWN='hwdown-ccw'
CCW_CHAN_IDS='0.0.f804 0.0.f805 0.0.f806'
CCW_CHAN_NUM='3'
QETH_LAYER2_SUPPORT='0'
CCW_CHAN_MODE=''
LCS_LANCMD_TIMEOUT=''
QETH_IPA_TAKEOVER='0'
QETH_OPTIONS='fake_ll=1 buffer_count=64'

Interface conf:
BOOTPROTO='static'
UNIQUE=''
STARTMODE='auto'
IPADDR='10.239.53.217'
NETMASK='255.255.255.0'
NETWORK='10.239.53.0'
BROADCAST='10.239.53.255'
_nm_name='qeth-bus-ccw-0.0.f804'
ETHTOOL_OPTIONS=''
MTU=''
NAME='OSA External'
REMOTE_IPADDR=''
USERCONTROL='no'
PREFIXLEN=''
ARP='no'



--
Email Disclaimer
This  E-mail  contains  confidential  information  belonging to the sender, 
which  may be legally privileged information.  This information is intended 
only  for  the use of the individual or entity addressed above.  If you are not 
 the  intended  recipient, or  an  employee  or  agent responsible for 
delivering it to the intended recipient, you are hereby notified that any 
disclosure,  copying, distribution, or the taking of any action in reliance on 
the contents of the E-mail or attached files is strictly prohibited.
<>

Re: SAR -v command values

2009-11-03 Thread Mark Post

>>> On 11/3/2009 at  3:56 PM, Rick Truett  wrote: 
> Hello, I am looking for an explanation of the value returned in the
> dentunusd field from the sar -v command.  I have values in teh millions
> and would like to understand why the value is so high.

According to "man sar"
dentunusd
 Number of unused cache entries in the directory cache.


So, sounds like large numbers are good, not bad.


Mark Post

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?

2009-11-03 Thread Leslie Turriff

On Tuesday 03 November 2009 19:42:12 John Summerfield wrote:
> Alan Altmark wrote:
> > In a Unix system, having a process to ensure that you *don't* orphan
> > files when deleting an account would seem to be de riguer.  If any file
> > exists to which said uid has privileges, then why would you delete the
> > account until you clean up the files?  I'm not a Unix sysadmin, but I
> > presume that there are admin packages that handle this sort of thing for
> > you.  When you discover that the admin tools is about to delete
> > /sys/bin/important, you might think twice about it and instead put that
> > user on the "necessary" list.
>
> Users' files do not, by default, get deleted when the account is removed.
>
> The ownership of a file is reflected in two numbers, and those are
> mapped to names through /etc/passwd and /etc/group (and their
> replacements in LDAP etc). Removal of accounts removes the mapping, but
> not the files.
>
> If you use a centralised authentication store, such as LDAP or RACF or
> AD, then removing a user account could leave orphaned files all over the
>   place.
>
> I think removal of accounts, as opposed to disabling them, is not
> something to undertake lightly. It might be that data there could be
> required for legal purposes - recently in a public company in Australia
> was reported to have embezzled a few million dollars. Enough that, when
> the money was found, the company's share price doubled. Probably, the
> user's files reflected her activities. Illegal activites aside, there
> may be notes, saved emails and the like stored there and nowhere else
> that may reflect agreements made and which someone else might need to
> know about after they've left.
>
All of your comments are correct, and all of the installations where I 
have
worked have checklists and procedures for handling the removal of such
accounts, which include the identification and either removal or reassignment
of related files before the account is removed; but these do not cover the
case of an unidentified account which is owned by no identifiable entity and
has no apparent use except to provide a possible weakness in the system's
security merely by existing.  (One may believe that since it is a "nologin"
account, etc., that there is no chance that in the future some hacker might
find a way to exploit its existence, but history has shown that such beliefs
are not safe ones.)  The policy of most enterprises that unused accounts
should not exist on the system unless they can be justified as serving a
business purpose is valid for accounts such as games as well as for accounts
defined by the system administrators.

If the only purpose for the games account is to collect high-score 
numbers
for accounts where games are used, it has no purpose on a business server,
and it should not be included in such a distribution.  It is hard for me to
believe that an account with such a minimal purpose cannot be excluded
without causing a cascade of problems in the rest of the system, and it seems
to me that the distributors of SLES and RHEL should have excluded them long
ago.

Leslie Turriff

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?

2009-11-03 Thread Jerry Whitteridge

> -Original Message-
> From: Linux on 390 Port [mailto:linux-...@vm.marist.edu] On 
> Behalf Of Marcy Cortes
> 
> A userid called "games" on a server is so not worth it!
> 
> And I agree with what Dan is on to here.   If it's not part 
> of the specification, then Novell (and probably Redhat) can 
> fix this or at least provide a statement about its necessity 
> to their support.
> 
> 
> marcy

I'd agree with Marcy here. I'd have a hard time justifying an ID or
Group on a business server that called itself "games", whether or not
the vendor supplied the account, especially if it was not in the system
software specifications. 

"Email Firewall" made the following annotations.
--

Warning: 
All e-mail sent to this address will be received by the corporate e-mail 
system, and is subject to archival and review by someone other than the 
recipient.  This e-mail may contain proprietary information and is intended 
only for the use of the intended recipient(s).  If the reader of this message 
is not the intended recipient(s), you are notified that you have received this 
message in error and that any review, dissemination, distribution or copying of 
this message is strictly prohibited.  If you have received this message in 
error, please notify the sender immediately.   
 
==

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?

2009-11-03 Thread Daniel P. Martin

Dominic Coulombe wrote:
Thank you, Dominic. This is consistent with what I could find for
system specifications at the time -- and puts "games" into the exact
same *convention* category as the other userids the auditor was casting
stinkeye on at at the time.

Auditors like rules. They're funny that way. Something about being paid
to enforce them, I expect...

Absent any formal system specification, it's difficult to justify this
account to an auditor.

-dan.

Hi Daniel,

On Tue, Nov 3, 2009 at 13:09, Daniel P. Martin wrote:

- Can anybody cite an URL for any specification of predefined system
accounts ("games" or otherwise) beyond root that are declared to be part
of the Linux, Unix or POSIX system specification? Not the numeric uid
or gid, but the account names themselves?

While it does not fully answer your question (no mention of the games user
as an example), it might be an interesting reading :

Linux Standard Base Core Specification 3.2
Chapter 21. Users & Groups
http://refspecs.linux-foundation.org/LSB_3.2.0/LSB-Core-generic/LSB-Core-generic/usernames.html

Also :
Chapter 21. Users & Groups
http://refspecs.linux-foundation.org/LSB_3.2.0/LSB-Core-generic/LSB-Core-generic/uidrange.html

Regards,
Dominic Coulombe

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?


Daniel P. Martin wrote:

they would be living in the lap of luxury
we've all become accustomed to instead of depending on their auditor
credentials to sustain them in a box underneath a bridge...


Really!? I though they lived in caves reeking of sulfur and wore 
loincloths of squirrel fur!


--
Jack J. Woehr# «'I know what "it" means well enough, when I find
http://www.well.com/~jax # a thing,' said the Duck: 'it's generally a frog or
http://www.softwoehr.com # a worm.'» - Lewis Carroll, _Alice in Wonderland_

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?

2009-11-03 Thread Dominic Coulombe

Hi Daniel,

On Tue, Nov 3, 2009 at 13:09, Daniel P. Martin wrote:

> - Can anybody cite an URL for any specification of predefined system
> accounts ("games" or otherwise) beyond root that are declared to be part
> of the Linux, Unix or POSIX system specification?  Not the numeric uid
> or gid, but the account names themselves?
>
>

While it does not fully answer your question (no mention of the games user
as an example), it might be an interesting reading :

Linux Standard Base Core Specification 3.2
Chapter 21. Users & Groups
http://refspecs.linux-foundation.org/LSB_3.2.0/LSB-Core-generic/LSB-Core-generic/usernames.html

Also :
Chapter 21. Users & Groups
http://refspecs.linux-foundation.org/LSB_3.2.0/LSB-Core-generic/LSB-Core-generic/uidrange.html

Regards,
Dominic Coulombe

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?


Edmund R. MacKenty wrote:
It's /etc/login.defs where those values are defined.  We don't want to change 
those.




Oh, and whether they're in /etc/login.defs or /etc/pam.conf you are
*allowed* to change them. Them's your site control definitions.

--
Jack J. Woehr# «'I know what "it" means well enough, when I find
http://www.well.com/~jax # a thing,' said the Duck: 'it's generally a frog or
http://www.softwoehr.com # a worm.'» - Lewis Carroll, _Alice in Wonderland_

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?


Jerry Whitteridge wrote:

I'd agree with Marcy here. I'd have a hard time justifying an ID or
Group on a business server that called itself "games",

Believe me, I understand. My granddaughter still separates the mushrooms
out of her spaghetti sauce one by one. :)

Thanks for the chat, all!

--
Jack J. Woehr# ?'I know what "it" means well enough, when I find
http://www.well.com/~jax # a thing,' said the Duck: 'it's generally a frog or
http://www.softwoehr.com # a worm.'? - Lewis Carroll, _Alice in Wonderland_

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?

Jack wrote:

>Well, you're a very dutiful employee and they're lucky to have you. You 
>still should kick 'em in the butt once in a while
>so they don't start to think that the reason you obey them is that 
>they're smarter than the average fifth grader!

Well, I do that when it is worth it.

A userid called "games" on a server is so not worth it!

And I agree with what Dan is on to here.   If it's not part of the 
specification, then Novell (and probably Redhat) can fix this or at least 
provide a statement about its necessity to their support.

marcy
--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: SAR -v command values

2009-11-03 Thread Shane Ginnane

There  has been quite a bit of work in the slub allocator to mitigate
inode and dentry memory usage. Late 2007, early last year from memory.
Badly designed code can eat memory this way as per the link from Brad -
updatedb is the typical flogging horse.
I'd be inclined to run slabtop sorted on cache size to see what is
actually being used, and by whom - no prizes for picking the top 2 likely
candidates.

Shane ...

Rick wrote on 04/11/2009 06:56:21 AM:

> Hello, I am looking for an explanation of the value returned in the
> dentunusd field from the sar -v command.  I have values in teh millions
> and would like to understand why the value is so high.

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?

2009-11-03 Thread Alan Altmark

On Tuesday, 11/03/2009 at 10:52 EST, Jack Woehr  wrote:
> Alan Altmark wrote:
> >  But to implement the policy, *someone* has to be the
> > arbiter of "necessary", and I don't think it should be the system
that's
> > being audited!
> In the specific instance, most estimable Alan, your general guidance is
> wrong.
>
> Marcy was asking for help in deleting accounts she did not know the
> purpose of,
> /and/ the system /is/ the arbiter in that these system accounts own
> system files
> which are orphaned if the system accounts are deleted.

Ah, semantics.  :-)  People arbitrate (decide).  Machines obey.  The mere
presence of a user account does not justify its existence.  The fact that
it can't be used to login does not mitigate the requirement for
justification, as the "best" Bad Things can and do masquerade as Good
Things.

In a Unix system, having a process to ensure that you *don't* orphan files
when deleting an account would seem to be de riguer.  If any file exists
to which said uid has privileges, then why would you delete the account
until you clean up the files?  I'm not a Unix sysadmin, but I presume that
there are admin packages that handle this sort of thing for you.  When you
discover that the admin tools is about to delete /sys/bin/important, you
might think twice about it and instead put that user on the "necessary"
list.

The one constant is change and so I suggest that no auditor or sysadmin
will know all "necessary" and "not necessary" accounts, and that they must
work together to turn the unknown into the known.

> 2. a user account re-using the uid number for the vanished ftp
> account is accidentally created

Hey, if you're going to introduce sloppy sysadmins into the mix and you
don't have or use any and all capabilities to prevent or detect accidents,
then all bets are off.

Same thing on z/VM: If you don't remove the objects created by or for a
user, and scrub all of your authorization lists when you delete a virtual
machine, you shouldn't ever reuse a z/VM user ID.  Example: SFS
directories.

Alan Altmark
z/VM Development
IBM Endicott

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?

On Tuesday 03 November 2009 11:55, Jack Woehr wrote:
>Well, in any case, now Marcy is committed to:

It's actually a lot simplier than this, Jack.

>* removing the accounts

Run "userdel games && groupdel games".

>* validating that pam.conf disallows the reassignment of these accounts

How is PAM involved in this?  PAM doesn't assign accounts, it is just an 
authentication layer.  There's nothing to do with PAM.

>* searching for and removing the files and directories, if any,
>  owned by the accounts
>  o alternatively, finding a safe owner for them
>  o Oh, and we haven't even dicussed /group/ memberships yet :)

The search is simple: find / -user 12 -o -group 40 -print
You'll just find /var/games on any reasonably set-up server.

>* /altering/ the install files for /each and every upgrade/ of her
>  system so these accounts aren't recreated

Nope.  Altering the /var/adm/fillup-templates/{passwd,shadow,group}.aaa_base 
files once takes care of this.  No need to alter any install packages.  You'd 
never want to do that anyway.

>* /validating the behavior /of any admin utilities she uses which
>  /may  /presume the account existence (e.g., said install files)

You might need to do this for the "ftp" account, but for "games"?  I wouldn't 
waste my time on that.

>* /deducing/ the connection between any surprising later incident
>  and the removal of the accounts

This should certainly be considered, and if a look at the log files reveals 
a "/var/games: No such file or directory" message from some daemon, I would 
be very surprised.
- MacK.
-
Edmund R. MacKenty
Software Architect
Rocket Software
275 Grove Street · Newton, MA 02466-2272 · USA
Tel: +1.617.614.4321
Email: m...@rs.com
Web: www.rocketsoftware.com  

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?


Marcy Cortes wrote:


Jack, this Linux 390 community consists of folks running Linux on very 
expensive hardware purchased by companies that view security as a very top 
priority.


And the nologin 'games' account on those very expensive machines is 
still not a security exposure :)




  I wanted to make sure the implementations I am in charge of meet the policies 
as written and that I am able to answer questions with answers that I feel are 
valid.


Well, you're a very dutiful employee and they're lucky to have you. You 
still should kick 'em in the butt once in a while
so they don't start to think that the reason you obey them is that 
they're smarter than the average fifth grader!


--
Jack J. Woehr# «'I know what "it" means well enough, when I find
http://www.well.com/~jax # a thing,' said the Duck: 'it's generally a frog or
http://www.softwoehr.com # a worm.'» - Lewis Carroll, _Alice in Wonderland_

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?


Alan Altmark wrote:

the "best" Bad Things can and do masquerade as Good Things.
  


Hey, I thought we were going to avoid politics! :)


In a Unix system, having a process to ensure that you *don't* orphan files
when deleting an account would seem to be de riguer.


Empirically:

   * 733T Unix weenies are disinclined to delete system accounts
   * Users tend to have their files in two places:
 o /home/~username -- solution, delete their home dir
 o /some/wellknown/shared/work/dir -- chown their files



  If any file exists
to which said uid has privileges, then why would you delete the account
until you clean up the files? 


You wouldn't.


 I'm not a Unix sysadmin, but I presume that
there are admin packages that handle this sort of thing for you.  When you
discover that the admin tools is about to delete /sys/bin/important,


Nothing in /bin /usr/bin /sbin or /usr/sbin is owned by a non-system 
account on any sane Unix installation.



The one constant is change and so I suggest that no auditor or sysadmin
will know all "necessary" and "not necessary" accounts, and that they must
work together to turn the unknown into the known.
  


The response to that is:

   * The default /system/ accounts on a modern Linux  system are not
 inherently a security exposure
   * Don't delete /system/ accounts because it's a lot of work and it
 does /nothing/ for you
   * Deleting the /files/ on the other hand, e.g., in /usr/games, can
 save space at least.
   *


2. a user account re-using the uid number for the vanished ftp
account is accidentally created



Hey, if you're going to introduce sloppy sysadmins into the mix


The questioner didn't know to look in the control files for the 
numerical limits on uid's.
Just one more reason not to mess with system defaults without a genuine 
business case.



Same thing on z/VM: If you don't remove the objects created by or for a
user, and scrub all of your authorization lists when you delete a virtual
machine, you shouldn't ever reuse a z/VM user ID.  Example: SFS
directories.
  


Absotively. The questioner came to the task without that insight as it 
pertains to Unix.


But the overarching insight is that the hapless questioner is being 
tasked to hop over
cracks in the pavement in fear that otherwise someone's mother's back 
will get broken.


Wasted human effort. Pfaugh.

--
Jack J. Woehr# «'I know what "it" means well enough, when I find
http://www.well.com/~jax # a thing,' said the Duck: 'it's generally a frog or
http://www.softwoehr.com # a worm.'» - Lewis Carroll, _Alice in Wonderland_


--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?


Edmund R. MacKenty wrote:

, this task is necessary simply because it 
was ordered by those with the authority to assign tasks.


Yo ree oh, ree oh rum! (The song of the Winkies at the castle of the 
Wicked Witch of the West)





It's /etc/login.defs where those values are defined.  We don't want to change 
those.
  
Nah, that's obsolete.  /etc/login.defs still exists, but it's not used 
by useradd in
systems with pam. The actual value used by useradd is found in 
/etc/pam.conf nowadays.


Again, that's "methinks" ... the 'man' command is your friend!

--
Jack J. Woehr# «'I know what "it" means well enough, when I find
http://www.well.com/~jax # a thing,' said the Duck: 'it's generally a frog or
http://www.softwoehr.com # a worm.'» - Lewis Carroll, _Alice in Wonderland_


--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?


Edmund R. MacKenty wrote:

It's actually a lot simplier than this, Jack.
  


The length of your post is itself indicative of how much effort is 
required to perform this unnecessary task :)
How is PAM involved in this?  PAM doesn't assign accounts, it is just an 
authentication layer.  There's nothing to do with PAM.
  


Methinks pam.conf determines x, y where only (y > uid > x) will be 
created by useradd. Correct me if I'm wrong, please.


--
Jack J. Woehr# «'I know what "it" means well enough, when I find
http://www.well.com/~jax # a thing,' said the Duck: 'it's generally a frog or
http://www.softwoehr.com # a worm.'» - Lewis Carroll, _Alice in Wonderland_

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?

2009-11-03 Thread Daniel P. Martin


I've been hesitant to throw additional fuel on an already robust fire,
but...  Having been through the proverbial mill on this topic in a
previous life, allow me to pose a question:

- Can anybody cite an URL for any specification of predefined system
accounts ("games" or otherwise) beyond root that are declared to be part
of the Linux, Unix or POSIX system specification?  Not the numeric uid
or gid, but the account names themselves?

Efforts years ago, when dealing with auditors in a situation not
dissimilar to Marcy's, to find a system specification were unfruitful.
I haven't devoted a huge amount of time to investigation this morning,
but still couldn't find a document.

I ask because when I had my turn in the barrel on this topic, the
question came down to one simple issue:  Is this part of a formal system
specification, or a vendor / branding / packaging convention?  If there
is a formal system specification, that's one thing.  If it's convention,
that puts the question in an entirely different context -- at least as
far as my auditors were concerned.

Absent a formal system specification to appease the auditor, we deleted
the accounts in question.  No fuss, no muss, no bother, and no bitter
after-taste.

The auditor is neither your friend nor your enemy -- and if they were
systems gurus like we are, they would be living in the lap of luxury
we've all become accustomed to instead of depending on their auditor
credentials to sustain them in a box underneath a bridge...

-dan.

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?

>The questioner didn't know to look in the control files for the 
>numerical limits on uid's. 

Are you talking about me?  I do too know how to do that. :-P
Let's not get carried away with assumptions here.

Marcy 
--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?

On Tuesday 03 November 2009 12:26, Jack Woehr wrote:
>The length of your post is itself indicative of how much effort is
>required to perform this unnecessary task :)

Actually, the length is only indicative of my tendency to type more than is 
necessary.  I reduced your six tasks for Marcy to just two.

And, as many others have pointed out, this task is necessary simply because it 
was ordered by those with the authority to assign tasks.  Whether that 
necessity is unfortunate or not is another question :-)  But I think I've 
shown that it is safe to do this, and rather simple.

>> How is PAM involved in this?  PAM doesn't assign accounts, it is just an
>> authentication layer.  There's nothing to do with PAM.
>
>Methinks pam.conf determines x, y where only (y > uid > x) will be
>created by useradd. Correct me if I'm wrong, please.

It's /etc/login.defs where those values are defined.  We don't want to change 
those.
- MacK.
-
Edmund R. MacKenty
Software Architect
Rocket Software
275 Grove Street · Newton, MA 02466-2272 · USA
Tel: +1.617.614.4321
Email: m...@rs.com
Web: www.rocketsoftware.com  

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?

Jack wrote:

>I'm more disturbed that this kind of snipe hunt, the deleting of 
>well-known no-login system accounts
>that date back in Unix history to the 1980's, is viewed by the Linux 390 
>community as a useful or
>rational activity that can be mandated by management without your 
>laughing in their faces.

Jack, this Linux 390 community consists of folks running Linux on very 
expensive hardware purchased by companies that view security as a very top 
priority.  We're not talking about peecees in someone's living room.   The 
concern is related to the risk.   Many here have much more experience with 
systems that don't provide accounts called "games" and need to be able to 
justify, when asked, the necessity of an account like this.   "Because it came 
with the system" I suspect isn't going to fly very far and it's not the answer 
I am comfortable having in my pocket.

That said, the last auditors did not point them out.  I wanted to make sure the 
implementations I am in charge of meet the policies as written and that I am 
able to answer questions with answers that I feel are valid.  

Marcy
--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?


Alan Altmark wrote:



In a Unix system, having a process to ensure that you *don't* orphan files
when deleting an account would seem to be de riguer.  If any file exists
to which said uid has privileges, then why would you delete the account
until you clean up the files?  I'm not a Unix sysadmin, but I presume that
there are admin packages that handle this sort of thing for you.  When you
discover that the admin tools is about to delete /sys/bin/important, you
might think twice about it and instead put that user on the "necessary"
list.


Users' files do not, by default, get deleted when the account is removed.

The ownership of a file is reflected in two numbers, and those are
mapped to names through /etc/passwd and /etc/group (and their
replacements in LDAP etc). Removal of accounts removes the mapping, but
not the files.

If you use a centralised authentication store, such as LDAP or RACF or
AD, then removing a user account could leave orphaned files all over the
 place.

I think removal of accounts, as opposed to disabling them, is not
something to undertake lightly. It might be that data there could be
required for legal purposes - recently in a public company in Australia
was reported to have embezzled a few million dollars. Enough that, when
the money was found, the company's share price doubled. Probably, the
user's files reflected her activities. Illegal activites aside, there
may be notes, saved emails and the like stored there and nowhere else
that may reflect agreements made and which someone else might need to
know about after they've left.




--

Cheers
John

-- spambait
1...@coco.merseine.nu  z1...@coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?


Jack Woehr wrote:

Edmund R. MacKenty wrote:

.  I don't think the UID/GID can be re-used, as your vendor controls
their assignments for system accounts and useradd(8) will not assign
UID/GID values below 500

That number-below-which is controlled by the contents of /etc/login.defs
I believe, which is an editable text file, not a hard limit.



and the default limit varies, I've read that the traditional Unix limit
is 1000, and that's what Debian uses.

--

Cheers
John

-- spambait
1...@coco.merseine.nu  z1...@coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?


Edmund R. MacKenty wrote:


removes a headache for you.  I don't think the UID/GID can be re-used, as
your vendor controls their assignments for system accounts and useradd(8)
will not assign UID/GID values below 500 unless you explicity ask for it with
the -r option, which you're not going to ever use, right?  So even if there
are files owned by UID 12 after you delete "games", no one else will get to
own them.


I don't know about RHEL and SLES, in the ordinary course of events, but
it certainly can happen in Debian.

I said "in the ordinary course of events" to exclude reference to
third-party software. If I provide some kind of server software,
installation may well involve creating a _system_ account. That is
perfectly consistent with how Linux vendors installed their standard
daemons - postgresql, apache, postfix et al all have their own system
accounts. It's the vendors' choice whether those accounts are part of
the standard set, or created when and if required. A third-party vendor
would create them when their software is installed, and if you have
removed some of the standard set, then yes the UIDs and GUIDs can be reused.

And, if you ever have need to move a disk from one system to another,
where the mappings o UID/GIDs to names differs, you may have problems.




--

Cheers
John

-- spambait
1...@coco.merseine.nu  z1...@coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?

On Tuesday 03 November 2009 11:48, Marcy Cortes wrote:
>No one has actually answered Paul's question about why it has to exist.  I'm
> curious about that too for my own edification.  Just because its always
> been there and things *might* expect it isn't a very good reason in my
> opinion.

I'll take a swat at that one:

It doesn't *have* to exist, but some packages will attempt to install files 
owned by "games".  That's OK, you'll end up with some files owned by UID 12.  
No big deal unless you've modified /etc/login.defs, or explicitly create a 
user account with that UID, or installed some games. :-)

If you're curious to see just what files are owned by "games" on your system, 
run this command:

rpm -ql --dump -a | awk '$6 == "games" || $7 == "games" {print $1}'

On my system, I get exactly one file: /var/games.  Just an empty directory.

I think removing the "games" user is a no-brainer, and it isn't going to cause 
any problems.  If you somehow do manage to install a package that has files 
owned by "games" later on, your security scanner cron job should report it to 
you.

Oh: I ran the above command for the "ftp" user and group too: no output at 
all.  Of course, I don't have a lot of junk installed on this instance.  It's 
supposed to be a server, after all.
- MacK.
-
Edmund R. MacKenty
Software Architect
Rocket Software
275 Grove Street · Newton, MA 02466-2272 · USA
Tel: +1.617.614.4321
Email: m...@rs.com
Web: www.rocketsoftware.com  

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?


Mark Post wrote:



No one has said it's rational or useful (at least I haven't), but it is 
necessary, for the numerous reasons everyone has been relating.  Technicians 
don't get to ignore executive management mandates.  They can, and do, criticize 
them and complain about them, but for something like this that is pretty small 
potatoes in the grand scheme of things, they do their job as directed.  There 
have been issues in the past where I would have refused to do as directed, but 
not for something this petty.
  


Well, in any case, now Marcy is committed to:

   * removing the accounts
   * validating that pam.conf disallows the reassignment of these accounts
   * searching for and removing the files and directories, if any,
 owned by the accounts
 o alternatively, finding a safe owner for them
 o Oh, and we haven't even dicussed /group/ memberships yet :)
   * /altering/ the install files for /each and every upgrade/ of her
 system so these accounts aren't recreated
   * /validating the behavior /of any admin utilities she uses which
 /may  /presume the account existence (e.g., said install files)
   * /deducing/ the connection between any surprising later incident
 and the removal of the accounts

Please do post back, Marcy, should you discover any /more /work you've 
been inadvertently committed to by this interesting management directive.


A better use of the time you'll be spending on this is /reading the 
system security logs/. Mention that at your next committee meeting!


--
Jack J. Woehr# «'I know what "it" means well enough, when I find
http://www.well.com/~jax # a thing,' said the Duck: 'it's generally a frog or
http://www.softwoehr.com # a worm.'» - Lewis Carroll, _Alice in Wonderland_


--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?

2009-11-03 Thread Alan Cox

> No one has actually answered Paul's question about why it has to exist.  I'm 
> curious about that too for my own edification.  Just because its always been 
> there and things *might* expect it isn't a very good reason in my opinion.

Historically so that games could run as their own user so they could
update the shared high score files.

Alan

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?

2009-11-03 Thread Mark Post

>>> On 11/3/2009 at 11:33 AM, Jack Woehr  wrote: 
-snip-
> I'm more disturbed that this kind of snipe hunt, the deleting of 
> well-known no-login system accounts
> that date back in Unix history to the 1980's, is viewed by the Linux 390 
> community as a useful or
> rational activity that can be mandated by management without your 
> laughing in their faces.

No one has said it's rational or useful (at least I haven't), but it is 
necessary, for the numerous reasons everyone has been relating.  Technicians 
don't get to ignore executive management mandates.  They can, and do, criticize 
them and complain about them, but for something like this that is pretty small 
potatoes in the grand scheme of things, they do their job as directed.  There 
have been issues in the past where I would have refused to do as directed, but 
not for something this petty.

Mark Post

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?

On Tuesday 03 November 2009 11:16, Jack Woehr wrote:
>Edmund R. MacKenty wrote:
>> .  I don't think the UID/GID can be re-used, as
>> your vendor controls their assignments for system accounts and useradd(8)
>> will not assign UID/GID values below 500
>
>That number-below-which is controlled by the contents of /etc/login.defs
>I believe, which is an editable text file, not a hard limit.

Correct.  But in order for the scenario you described to occur, one of the 
following must happen:

1) A superuser edits /etc/login.defs and sets SYSTEM_USER_MIN to zero or some 
other very low value, or

2) A superuser runs "useradd -r -u 40 cracker" and gives that account to a 
plain user.

Either scenario requires an irresponsible superuser.  Marcy does not fall into 
that category.
- MacK.
-
Edmund R. MacKenty
Software Architect
Rocket Software
275 Grove Street · Newton, MA 02466-2272 · USA
Tel: +1.617.614.4321
Email: m...@rs.com
Web: www.rocketsoftware.com  

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?

Thank you Ed and Mark for the technical info and education.  Look for a request.
Thanks Alan for the well written, as usual, perspective.   I am on the review 
committee for next time around (not becaues of this but another different from 
Intel feature :)
And I have had to document all those VM ids as well. Luckily "z/VM Component" 
sufficed, although if IBM provided a line or 2 of comments in each one, it 
would be helpful (hint, hint).

No one has actually answered Paul's question about why it has to exist.  I'm 
curious about that too for my own edification.  Just because its always been 
there and things *might* expect it isn't a very good reason in my opinion.   


Marcy 

"This message may contain confidential and/or privileged information. If you 
are not the addressee or authorized to receive this for the addressee, you must 
not use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation."

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?


Scott Rohling wrote:

I'm glad you wouldn't be disturbed by user/accounts that you, the sysprog,
deleted and finding them magically restored.


User accounts, yes. System accounts, no ... one is curious, but the 
answer is pretty obvious,
One of the first posters in the discussoon nailed it, anyway, so I 
thought that was a dead issue.



   I am, Marcy is - and you are
not helping.
  


I'm more disturbed that this kind of snipe hunt, the deleting of 
well-known no-login system accounts
that date back in Unix history to the 1980's, is viewed by the Linux 390 
community as a useful or
rational activity that can be mandated by management without your 
laughing in their faces.


--
Jack J. Woehr# «'I know what "it" means well enough, when I find
http://www.well.com/~jax # a thing,' said the Duck: 'it's generally a frog or
http://www.softwoehr.com # a worm.'» - Lewis Carroll, _Alice in Wonderland_

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?


PAUL WILLIAMSON wrote:
 how about imparting some of that vast 
knowledge you seem to be harboring in that horse of yours?
  

I already gave her the best technical advice she's gotten yet.

I said, "Don't do that , it doesn't add to your system security and it's 
dangerous."

Why does the user "games" have to exist on a linux system?
  
It owns some files. It can't login, that is why something like 
/sbin/nologin (from memory) is its shell.


The more kozmik issue is that all sorts of utilities and regimens think 
that certain well-known system accounts do exist. Due to
the open source context, it thus becomes a Halting Problem to determine 
whether you're going to get surprises if you delete these

accounts.

--
Jack J. Woehr# «'I know what "it" means well enough, when I find
http://www.well.com/~jax # a thing,' said the Duck: 'it's generally a frog or
http://www.softwoehr.com # a worm.'» - Lewis Carroll, _Alice in Wonderland_


--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?

2009-11-03 Thread Scott Rohling

When did Marcy indicate she didn't know the purpose of these accounts?

I think we all get (how could we not by now) that you think it's a bad idea
to remove 'system' ids.   That's a valid approach -- but it's not helpful to
Marcy - who obviously disagrees (as do I).

I'm glad you wouldn't be disturbed by user/accounts that you, the sysprog,
deleted and finding them magically restored.   I am, Marcy is - and you are
not helping.

Scott

On Tue, Nov 3, 2009 at 9:35 AM, Jack Woehr  wrote:

> Alan Altmark wrote:
>
>> Marcy's question wasn't unreasonable and neither is the policy to remove
>> unnecessary account ...
>>  But to implement the policy, *someone* has to be the
>> arbiter of "necessary", and I don't think it should be the system that's
>> being audited!
>>
> In the specific instance, most estimable Alan, your general guidance is
> wrong.
>
> Marcy was asking for help in deleting accounts she did not know the purpose
> of,
> /and/ the system /is/ the arbiter in that these system accounts own system
> files
> which are orphaned if the system accounts are deleted.
>
> In a worst-case scenario (that's what security planning is about, right?)
>
>  1. ftp system files are orphaned by deleting the account
>  2. a user account re-using the uid number for the vanished ftp
> account is accidentally created
>  3. Joe User gets control of FTP.
>
> /That's/ the sort of "security" result you get from dutifully following
> directives issued by ignorami
> endowed with Papal Infallibility.
>
>
> --
> Jack J. Woehr# «'I know what "it" means well enough, when I
> find
> http://www.well.com/~jax  # a thing,' said the
> Duck: 'it's generally a frog or
> http://www.softwoehr.com # a worm.'» - Lewis Carroll, _Alice in
> Wonderland_
>
>
> --
> For LINUX-390 subscribe / signoff / archive access instructions,
> send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or
> visit
> http://www.marist.edu/htbin/wlvindex?LINUX-390
>

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?


Edmund R. MacKenty wrote:
.  I don't think the UID/GID can be re-used, as 
your vendor controls their assignments for system accounts and useradd(8) 
will not assign UID/GID values below 500
That number-below-which is controlled by the contents of /etc/login.defs 
I believe, which is an editable text file, not a hard limit.


--
Jack J. Woehr# «'I know what "it" means well enough, when I find
http://www.well.com/~jax # a thing,' said the Duck: 'it's generally a frog or
http://www.softwoehr.com # a worm.'» - Lewis Carroll, _Alice in Wonderland_

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?

On Monday 02 November 2009 22:00, Marcy Cortes wrote:
>It's not SuSEconfig.  I tried that.
>It must be maintenance to some particular package.
>Right now, we just clean up.  But it would be way better to not have to do
> that.

Mark nailed it: the aaa_base RPM is adding the "games" user in its 
post-install script.  The definition of the games account is in three files:

/var/adm/fillup-templates/group.aaa_base
/var/adm/fillup-templates/passwd.aaa_base
/var/adm/fillup-templates/shadow.aaa_base

which are also in the aaa_base package.  They define all the system accounts: 

root, bin, daemon, lp, mail, news, uucp, games, man, wwwrun, ftp, nobody

The aaa_base package is always going to be installed when upgrading the 
system, so you'll always get those user accounts back.  At least on SLES, and 
I think RHEL does something similar.

The fix is to remove the lines for user "games" from those files.  The next 
time you update aaa_base, it should install the files from the package into 
*.rpmnew files instead of overwriting your changes.  You will lose any other 
changes to those files being applied automatically; you'll have to check them 
to see if there are any new system accounts, but that would be rare.

As for the debate about if removing the "games" user is A Good Thing To Do or 
not: I think it's OK.  I can see why it scares the auditors, so removing it 
removes a headache for you.  I don't think the UID/GID can be re-used, as 
your vendor controls their assignments for system accounts and useradd(8) 
will not assign UID/GID values below 500 unless you explicity ask for it with 
the -r option, which you're not going to ever use, right?  So even if there 
are files owned by UID 12 after you delete "games", no one else will get to 
own them.

Besides, you're running a security scanner that checks for files with UIDs 
that are not in /etc/passwd and notifies you, right?  So even if you do 
install some package that has a file owned by "games", you'll know about it 
soon enough.
- MacK.
-
Edmund R. MacKenty
Software Architect
Rocket Software
275 Grove Street · Newton, MA 02466-2272 · USA
Tel: +1.617.614.4321
Email: m...@rs.com
Web: www.rocketsoftware.com  

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?


Alan Altmark wrote:

Marcy's question wasn't unreasonable and neither is the policy to remove
unnecessary account ...
 But to implement the policy, *someone* has to be the
arbiter of "necessary", and I don't think it should be the system that's
being audited! 
In the specific instance, most estimable Alan, your general guidance is 
wrong.


Marcy was asking for help in deleting accounts she did not know the 
purpose of,
/and/ the system /is/ the arbiter in that these system accounts own 
system files

which are orphaned if the system accounts are deleted.

In a worst-case scenario (that's what security planning is about, right?)

  1. ftp system files are orphaned by deleting the account
  2. a user account re-using the uid number for the vanished ftp
 account is accidentally created
  3. Joe User gets control of FTP.

/That's/ the sort of "security" result you get from dutifully following 
directives issued by ignorami

endowed with Papal Infallibility.

--
Jack J. Woehr# «'I know what "it" means well enough, when I find
http://www.well.com/~jax # a thing,' said the Duck: 'it's generally a frog or
http://www.softwoehr.com # a worm.'» - Lewis Carroll, _Alice in Wonderland_


--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?

2009-11-03 Thread PAUL WILLIAMSON

>>> Jack Woehr  11/3/2009 9:41 AM >>>
> There's a wonderful story from Roman imperial history about the 
> Roman official in, I think it was Belgium, who rigidly interpreted 
> a tax-in-kind of  "hides" as "ox-hides", a very expensive 
> commodity, leading to the impoverishment and subsequent 
> rebellion of the province, resulting in thousands of deaths 
> and untold property destruction.
> I'm sure that when questioned about his decision, he used the 
> perennial, tried-and-true rationale of the incompetent 
> bureaucrat :"I have no discretion to vary the rules."
>
> The term of art for this kind of behavior, whether it be exhibited 
> in statecraft or information management, is /"self-defeating 
> stupidity/". It has been chronicled exhaustively by wiser and 
> witter persons than myself, from Jonathan Swift to Dr. 
> Raymond Peter to Scott Adams.
Do you wear a tin foil hat all the time too?  I have yet to hear 
one technical bit of help from you to Marcy.  Rather than 
blabbering about something over which you obviously 
have no control, how about imparting some of that vast 
knowledge you seem to be harboring in that horse of yours?
 
Either answer the question, provide some valuable feedback,
or stop b!tch!ng about it - go to some political forum to discuss 
why your state/country/world is in the situation it is.
 
Since the question hasn't really been asked, I'll ask, because 
I *know* our auditors will be asking during the next round, 
and I'd like to be prepared.
 
Why does the user "games" have to exist on a linux system?
 
 

This email may contain privileged and/or confidential information that is 
intended solely for the use of the addressee.  If you are not the intended 
recipient or entity, you are strictly prohibited from disclosing, copying, 
distributing or using any of the information contained in the transmission.  If 
you received this communication in error, please contact the sender immediately 
and destroy the material in its entirety, whether electronic or hard copy.  
This communication may contain nonpublic personal information about consumers 
subject to the restrictions of the Gramm-Leach-Bliley Act and the 
Sarbanes-Oxley Act.  You may not directly or indirectly reuse or disclose such 
information for any purpose other than to provide the services for which you 
are receiving the information.
There are risks associated with the use of electronic transmission.  The sender 
of this information does not control the method of transmittal or service 
providers and assumes no duty or obligation for the security, receipt, or third 
party interception of this transmission.


--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?

2009-11-03 Thread Dodds, Jim

Very well said Alan ... Chuckie must be still be hung over from
Halloween

Jim Dodds
Systems Programmer
Kentucky State University
400 East Main Street
Frankfort, Ky 40601
502 597 6114

-Original Message-
From: Linux on 390 Port [mailto:linux-...@vm.marist.edu] On Behalf Of
Alan Altmark
Sent: Tuesday, November 03, 2009 10:23 AM
To: LINUX-390@VM.MARIST.EDU
Subject: Re: Where does "games" come from?

On Tuesday, 11/03/2009 at 08:27 EST, "McKown, John"
 wrote:
> This sort of thing comes up on the z/OS RACF forum with distressing
regularity.
> The "smart money" always responds that the auditor is not the maker of
the
> rules / policies. The auditor is supposed to get a list of the company
rules /
> policies and simply confirm that the department being audited either
does or
> does not pass the audit with documentation when it does not.
Unfortunately,
> auditors of today have become "activist judges" who are making laws
from
the
> bench. And corporate management is letting them do it (likely because
corporate
> management doesn't know how to manage anymore).

So, the good news is that the auditor has discretion and can adapt to
conditions on the ground.  The bad news is that the auditor has
discretion
and can impose their will.  It is a two-edged sword that no amount of
complaining about will dull; it's inherent in the system.  The Flaw.
The
Anomaly.

Sometimes it's just politics.  Whatever moron thought that user name
"games" should be used by non-gaming packages or internal componentry
should be taken out back and summarily Dealt With.  This means Marcy has
to explain that, no, there aren't really any games installed.  (Go
ahead,
prove a negative.)

Marcy's question wasn't unreasonable and neither is the policy to remove
unnecessary account.  But to implement the policy, *someone* has to be
the
arbiter of "necessary", and I don't think it should be the system that's
being audited!  I.e. Perhaps you should be able to tell rpm "don't
install
anything that references username games".

I get similar requests for z/VM: Explain what all of these users are in
USER DIRECT are and why they need the privilege they need.  It doesn't
matter that they've been there for 25 (or 40) years and that people "in
the know" don't worry about it.  The auditors aren't necessarily experts
in all operating systems and aren't steeped in all lore.  They're just
good people trying to do their job to the best of their ability with
insufficient resources.  (Sound familiar?)

So let's not rush to judgement and instead give Marcy the information
she
needs to *satisfy* the auditors (her goal).  I can't imagine that taking
on Wells Fargo IT security policy in the LINUX-390 listserver will help
anyone, particularly Marcy.

Most companies review their IT security policy (and auditor guidelines)
on
a regular basis.  If you find that you are always having to get filed
Deviations or Exceptions for your systems, or answer too many irrelevant
questions, then it would be a Good Thing to insert yourself in to the
review process.  Trying to change The Rules outside of this mechanism
usually wastes your time and annoys the pig.

Alan Altmark
z/VM Development
IBM Endicott

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or
visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?

2009-11-03 Thread Alan Altmark

On Tuesday, 11/03/2009 at 08:27 EST, "McKown, John"
 wrote:
> This sort of thing comes up on the z/OS RACF forum with distressing
regularity.
> The "smart money" always responds that the auditor is not the maker of
the
> rules / policies. The auditor is supposed to get a list of the company
rules /
> policies and simply confirm that the department being audited either
does or
> does not pass the audit with documentation when it does not.
Unfortunately,
> auditors of today have become "activist judges" who are making laws from
the
> bench. And corporate management is letting them do it (likely because
corporate
> management doesn't know how to manage anymore).

So, the good news is that the auditor has discretion and can adapt to
conditions on the ground.  The bad news is that the auditor has discretion
and can impose their will.  It is a two-edged sword that no amount of
complaining about will dull; it's inherent in the system.  The Flaw.  The
Anomaly.

Sometimes it's just politics.  Whatever moron thought that user name
"games" should be used by non-gaming packages or internal componentry
should be taken out back and summarily Dealt With.  This means Marcy has
to explain that, no, there aren't really any games installed.  (Go ahead,
prove a negative.)

Marcy's question wasn't unreasonable and neither is the policy to remove
unnecessary account.  But to implement the policy, *someone* has to be the
arbiter of "necessary", and I don't think it should be the system that's
being audited!  I.e. Perhaps you should be able to tell rpm "don't install
anything that references username games".

I get similar requests for z/VM: Explain what all of these users are in
USER DIRECT are and why they need the privilege they need.  It doesn't
matter that they've been there for 25 (or 40) years and that people "in
the know" don't worry about it.  The auditors aren't necessarily experts
in all operating systems and aren't steeped in all lore.  They're just
good people trying to do their job to the best of their ability with
insufficient resources.  (Sound familiar?)

So let's not rush to judgement and instead give Marcy the information she
needs to *satisfy* the auditors (her goal).  I can't imagine that taking
on Wells Fargo IT security policy in the LINUX-390 listserver will help
anyone, particularly Marcy.

Most companies review their IT security policy (and auditor guidelines) on
a regular basis.  If you find that you are always having to get filed
Deviations or Exceptions for your systems, or answer too many irrelevant
questions, then it would be a Good Thing to insert yourself in to the
review process.  Trying to change The Rules outside of this mechanism
usually wastes your time and annoys the pig.

Alan Altmark
z/VM Development
IBM Endicott

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Re: Where does "games" come from?