From owner-freebsd-questions@FreeBSD.ORG Fri Feb 20 09:06:30 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BDBA516A4CE for ; Fri, 20 Feb 2004 09:06:30 -0800 (PST) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0E09B43D1D for ; Fri, 20 Feb 2004 09:06:30 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1])i1KH6NuV006305 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 20 Feb 2004 17:06:23 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)id i1KH6Mx0006304; Fri, 20 Feb 2004 17:06:22 GMT (envelope-from matthew) Date: Fri, 20 Feb 2004 17:06:22 +0000 From: Matthew Seaman To: meimi Message-ID: <20040220170622.GD4997@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , meimi , freebsd-questions@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="N1GIdlSm9i+YlY4t" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.6i X-Spam-Status: No, hits=-4.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on happy-idiot-talk.infracaninophile.co.uk cc: freebsd-questions@freebsd.org Subject: Re: Removing system user X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Feb 2004 17:06:30 -0000 --N1GIdlSm9i+YlY4t Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Feb 20, 2004 at 11:51:03PM +0800, meimi wrote: > I have read some document about server hardening. It suggests me removi= ng > the following users: > operator, games, news, uucp > and following groups: > operator, staff > I can guess that games is used for playing and news is used for reading > news in news group. How about the other? Their descriptions in passwd are > not clear. > Am I safe to remove them in normal server environment (web, mail, ftp, > DNS, SSH)? You can certainly remove those users and groups, but it's unlikely to gain you very much and quite likely to cause you some problems. It will certainly make it harder for you to do routine updates on your system, possibly including some security patches. So long as you don't alter the entries in the master.passwd and group files for those entities, you're pretty safe. Those IDs exist mostly to be the owners of various files: note that the shell has been set to /sbin/nologin and the password for those accounts has been locked and that they have no special privileges despite the low UID and GID numbers -- as such they are rather less dangerous than the account you use to log in via. All in all, I wouldn't bother touching those accounts. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --N1GIdlSm9i+YlY4t Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFANj6OdtESqEQa7a0RAjgdAJwJCxds6MgWyLbVgEPFz4IvPPU9AgCfQIAP tLamn2Y1hQCIKfGbhFi451c= =dPKl -----END PGP SIGNATURE----- --N1GIdlSm9i+YlY4t--