Re: Hearing the truth??

• Previous message: Mathieu Nantel: "Re: Hearing the truth??"
• Maybe in reply to: OBrien, Brennan: "Hearing the truth??"
• Next in thread: OBrien, Brennan: "RE: Hearing the truth??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: focus-sun@securityfocus.com
Date: Thu, 19 Feb 2004 14:05:11 -0600

> All:
>
> I've got an interesting situation at the office I could use some advice
> on. I'm being asked from a security perspective whether the following
> statement (made by our Unix admins) could be considered true:
>
> "The only way you can delete a user account on a unix environment is to
> write a series of scripts to eliminate file associations."
<SNIPPED>
> We're in a Sun environment. Some thoughts would be appreciated.

Brennan,

        There have been a number of comments, useful and not, about
deleting users, and removing files. Dealing specifically with file
associations, while local unix filesystems could be handled with the
simple find/rm trick mentioned in another email, that may not work/be
appropriate if remote filesystems are involved. There may also be
complicating factors if you're dealing with encrypted filesystems. The
task could also become more complicated if you don't have a centralized
authentication scheme, and/or are dealing with inconsisten UIDs across
the various Unix servers (user a has uid 9 on box a, uid 10 on box b,
etc).

        While it does seem like a single script could be written to
handle most of the issues, it's hard to make a definitive statement
without knowing more about your environment than you're likely to be
comfortable divulging, even on such a highly reputable security-focused
list. ;)

        If you extend the question beyond simply file associations, it's
not uncommon for a user to be defined both locally on a unix system
(with or without login priveleges) as well as within an application
resident on a unix system. If your Unix admins are responsible for
both, and haven't implemented a single-sign-on solution (far easier to
type than to do), they may also have to map varying loginids/usernames
on separate servers to a number of different applications. That could,
in the end, require more than one script, depending on the complexity of
the environment, and the state of user account management and
centralized authentication.

Dan Shauver
Unix Geek

• Previous message: Mathieu Nantel: "Re: Hearing the truth??"
• Maybe in reply to: OBrien, Brennan: "Hearing the truth??"
• Next in thread: OBrien, Brennan: "RE: Hearing the truth??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]