Re: Hearing the truth??

From: Mathieu Nantel (nantel_at_ecopiabio.com)
Date: 02/18/04

  • Next message: Daniel J Shauver: "Re: Hearing the truth??" 
    To: focus-sun@securityfocus.com
Date: Wed, 18 Feb 2004 13:51:58 -0500

    Well, I'm not sure why it was worded like this. You need to delete the user's
    entries in /etc/passwd and /etc/shadow. That's done by "userdel". Thats what
    I call "deleting a user".

    Now from the perspective of "files", it's not very elegant to delete an
    account (remove the entries from /etc/passwd and shadow) when the user still
    has files lying about. The thought here is that deleting the account makes
    the files that the user owned show a UID instead of a username. Purely
    "functional". In no way does it prevent you from deleting the account.

    What I typically do is change the user's shell to /bin/false and passwd -l the
    account. Then, you can find all the files the user owned and change the owner
    to someone else. This part would be specific to your environment.

    So getting back to the affirmative "The only way you can delete a user account
    on a unix environment is to write a series of scripts to eliminate file
    associations." : this is false unless it is clarified.

    Mat

    On Tuesday February 17 2004 20:22, OBrien, Brennan wrote:
    > All:
    >
    > I've got an interesting situation at the office I could use some advice
    > on. I'm being asked from a security perspective whether the following
    > statement (made by our Unix admins) could be considered true:
    >
    > "The only way you can delete a user account on a unix environment is to
    > write a series of scripts to eliminate file associations."
    >
    > So, while I don't disagree with the logic, is this actually the case
    > that there are no commercial tools available to assist in this arena,
    > and the only method of deleting a user on a system safely and
    > effectively is to write a bunch of scripts on your own? This just begs
    > to be a problem solved by a commercial entity if it's actually the case.
    >
    >
    > We're in a Sun environment. Some thoughts would be appreciated.
    >
    > Brennan 

    -- 
===================================================================
Mathieu Nantel - RHCE,CCNA                       Ecopia BioSciences
Systems Manager                                 (514) 336-2724 x434
nantel@ecopiabio.com
===================================================================
[*] Please avoid sending me Word/Excel/PowerPoint attachments.
 `----> See: http://www.fsf.org/philosophy/no-word-attachments.html
===================================================================
  • Next message: Daniel J Shauver: "Re: Hearing the truth??"

    Relevant Pages

    • Re: Deleting AD User and Home Directory?
      ... You can do this with DSRAZOR for Windows. ... and delete the user account in Active Directory. ... Another issue you may need to deal with is that simply deleting the ... may not delete the user's email folders in the exchange server, ...
      (microsoft.public.windows.server.scripting)
    • Re: email recovery
      ... of the exchange logs for that time period. ... all messages sent to/from a specific account. ... He has also been deleting ... Is there anyway for me to recover the deleted messages using the log ...
      (microsoft.public.exchange2000.information.store)
    • Re: UKRM.co.uk server
      ... if anyone wants access to its free USENET server ... And for anyone who uses Xananews with ukrm.co.uk, ... Deleting the account and setting it up again just uses the old article ...
      (uk.rec.motorcycles)
    • Re: remove an extender
      ... The interesting test will be to see if MCX1 gets reused after deletion - i ... > Then check the "Account is disabled" box. ... >> interface seems to be limited to Media Extender Manager, ... >>> deleting it, just to make sure that deleting it ...
      (microsoft.public.windows.mediacenter)