Re: Hearing the truth??

From: Byron Sonne (blsonne_at_rogers.com)
Date: 02/18/04

  • Next message: Sturges, Jonathan D, ALABS: "RE: Hearing the truth??"
    Date: Wed, 18 Feb 2004 14:09:16 -0500
    To: "OBrien, Brennan" <BOBrien@columbia.com>, focus-sun@securityfocus.com
    
    

    > I've got an interesting situation at the office I could use some advice
    > on. I'm being asked from a security perspective whether the following
    > statement (made by our Unix admins) could be considered true:
    >
    > "The only way you can delete a user account on a unix environment is to
    > write a series of scripts to eliminate file associations."
    >
    > So, while I don't disagree with the logic, is this actually the case
    > that there are no commercial tools available to assist in this arena,
    > and the only method of deleting a user on a system safely and
    > effectively is to write a bunch of scripts on your own? This just begs
    > to be a problem solved by a commercial entity if it's actually the case.
    >
    >
    > We're in a Sun environment. Some thoughts would be appreciated.

    Well that certainly doesn't sound right :)

    Every unix or unix clone (linux) has built in commands for adding and
    removing users (useradd, userdel, rmuser, whatever it happens to be on
    your flavour). Usually command line based although there are gui utils
    for the skill or time impaired. Some times there are multiple commands
    offering different functionality. One of these could be a script, but
    they're usually binaries.

    Of course, who knows what customizations have been done in your
    environment. Perhaps they're lower level admins who don't have the
    permissions to use these command line based utilities. Sun does have a
    gui sysadmin utility and perhaps this capability has been denied them
    via this route as well level them no recourse but scripting something.

    Sun, eh? I'm an SCSA. the 'smuser delete' command has no option to
    remove the home directory automatically; you gotta go back and do that.
    But the 'userdel' command can remove it all lock, stock & barrel if you
    pass it '-r'. Maybe they're not aware of this particular command option.

    On a pedantic level, none of the user files have to be removed to remove
    a user account. All you need to do, in the typical situation, is have
    the appropriate entries/references in the passwd, group and shadow files
    removed. YMMV since they're are a number of other authentication schemes .

    On an even more pedantic level, if by 'account' they mean everything,
    the above entries and user files being eliminated completely, then
    they're still wrong, as you'd need to 'eliminate file associations' AND
    remove entries from the aforementioned files.

    Most pedantic of all, who says you even need to write a script? Drop to
    shell and issue the commands one after the other.

    Are you sure these folks weren't Windows admins masquerading as unix
    admins for some reason?

    -- 
    For Good, return Good. For Evil, return Justice.
    

  • Next message: Sturges, Jonathan D, ALABS: "RE: Hearing the truth??"

    Relevant Pages

    • Re: suggested addition to date
      ... I don't like to encourage the writing of non-portable scripts, ... Suppose you came along to a system knowing that there was a command ... somewhere to add timestamps to log streams, ... One command doing many different things seems to go against the Unix ...
      (freebsd-current)
    • Re: OT: Unix scripting
      ... I've been a pure Cobol on Unix contractor for 9+ years. ... No mainframe and no Java/Web. ... run scripts that look like JCL. ... command for correct execution upon completion of that command? ...
      (comp.lang.cobol)
    • Re: yes command
      ... >> In unix, there is a 'yes' command. ... >> What is the usage of it? ... You use it to feed into scripts that asks questions and you know ...
      (comp.unix.shell)
    • Re: vi horizontal split screen
      ... Command line recall and edit, which I had on DOS, was worth the price of admission by itself. ... The script language was designed to look like C for the benefit of C programmers working on *nix, but you still needed to know Bourne syntax, because all the scripts that controlled Unix itself were in the Bourne shell language. ... Emacs is not it. ... The default Emacs keystrokes have the same basic characteristic as the default vi keystrokes and the default WordStar command set: they are keyboard independent. ...
      (comp.editors)
    • Re: Sarahs very sad...
      ... There is a core of a Unix OS in the foundations, ... It is a considerable wrench going from a GUI to a program whose interface ... Linux or Unix system without ever seeing a command line or a config file ...
      (uk.people.support.depression)