Re: Hearing the truth??
From: Byron Sonne (blsonne_at_rogers.com)
Date: Wed, 18 Feb 2004 14:09:16 -0500 To: "OBrien, Brennan" <BOBrien@columbia.com>, firstname.lastname@example.org
> I've got an interesting situation at the office I could use some advice
> on. I'm being asked from a security perspective whether the following
> statement (made by our Unix admins) could be considered true:
> "The only way you can delete a user account on a unix environment is to
> write a series of scripts to eliminate file associations."
> So, while I don't disagree with the logic, is this actually the case
> that there are no commercial tools available to assist in this arena,
> and the only method of deleting a user on a system safely and
> effectively is to write a bunch of scripts on your own? This just begs
> to be a problem solved by a commercial entity if it's actually the case.
> We're in a Sun environment. Some thoughts would be appreciated.
Well that certainly doesn't sound right :)
Every unix or unix clone (linux) has built in commands for adding and
removing users (useradd, userdel, rmuser, whatever it happens to be on
your flavour). Usually command line based although there are gui utils
for the skill or time impaired. Some times there are multiple commands
offering different functionality. One of these could be a script, but
they're usually binaries.
Of course, who knows what customizations have been done in your
environment. Perhaps they're lower level admins who don't have the
permissions to use these command line based utilities. Sun does have a
gui sysadmin utility and perhaps this capability has been denied them
via this route as well level them no recourse but scripting something.
Sun, eh? I'm an SCSA. the 'smuser delete' command has no option to
remove the home directory automatically; you gotta go back and do that.
But the 'userdel' command can remove it all lock, stock & barrel if you
pass it '-r'. Maybe they're not aware of this particular command option.
On a pedantic level, none of the user files have to be removed to remove
a user account. All you need to do, in the typical situation, is have
the appropriate entries/references in the passwd, group and shadow files
removed. YMMV since they're are a number of other authentication schemes .
On an even more pedantic level, if by 'account' they mean everything,
the above entries and user files being eliminated completely, then
they're still wrong, as you'd need to 'eliminate file associations' AND
remove entries from the aforementioned files.
Most pedantic of all, who says you even need to write a script? Drop to
shell and issue the commands one after the other.
Are you sure these folks weren't Windows admins masquerading as unix
admins for some reason?
-- For Good, return Good. For Evil, return Justice.