SUMMARY: does system accounts need passwords?

From: Hee_Meng_HO@lta.gov.sg
Date: Wed Aug 23 2000 - 20:53:45 CDT


Hi everyone,

Thanks to Alon Friedman, Casper Dik, Stephen Harris, Matthew Stier, Mark
Neil MIDTIER, mike.salehi, Ric Anderson, Pete Fritchman, Jonathan Loah and
Sean Quaint for their great help. Apologies if I accidentally missed out
any names.

Now, the short answers to both my questions (see below) are:
1) No.
This is not true at all. Initially, it appears that from the /etc/passwd
file, the system accounts (lower UID) do not have shell access as indicated
in the last field which is blank. However, as rightfully pointed out by
some, the blank column simply means that "this account is using the default
shell access which is /sbin/sh" and does not mean that the account is not
assigned with a shell access.

However, if we look at the /etc/shadow file, we will notice that the system
accounts are typically prevented by having passwords by having *NP* (no
password) or *LK* (locked) in their hashed password field.

2) No.
System accounts are those with lower UIDs (I think UID < 100, have to read
the manual to confirm). And as pointed above, all accounts have shell
access. The shell type field and the hashed passwd field are totally
unrelated at all.

Thanks gurus for helping out. I appreciate the fast response.

cheers!

*** Original Question ***

Hi gurus,

I'm tightening my OS based on a guideline.

This guideline has a clause that states that all accounts should be
protected with strong passwords.

Now, when I look at my /etc/passwd file, I see that system accounts such as
uucp, daemon, bin, sys, adm, lp, nuucp, listen, nobody, nobody4, noaccess,
smtp do not have any shell access - that is, the last column is left empty
as in:

daemon:x:1:1::/:
bin:x:2:2::/usr/bin:

My question is:
1) A trainer once told me that if the accounts (in this case the system
accounts) do not have a shell access, then there is no passwords for it. Is
this true?
2) If the above is true, can I then assume that if an account does not have
any shell access, it is therefore a system account?

I'll appreciate any insights to this question. I will summarize this once I
have all the info.

Lastly, thanks a million for reading.

Regards,

heemeng

S
U BEFORE POSTING please READ the FAQ located at
N ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/faq
. and the list POLICY statement located at
M ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/policy
A To submit questions/summaries to this list send your email message to:
N sun-managers@ececs.uc.edu
A To unsubscribe from this list please send an email message to:
G majordomo@sunmanagers.ececs.uc.edu
E and in the BODY type:
R unsubscribe sun-managers
S Or
. unsubscribe sun-managers original@subscription.address
L To view an archive of this list please visit:
I http://www.latech.edu/sunman.html
S
T

S
U BEFORE POSTING please READ the FAQ located at
N ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/faq
. and the list POLICY statement located at
M ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/policy
A To submit questions/summaries to this list send your email message to:
N sun-managers@ececs.uc.edu
A To unsubscribe from this list please send an email message to:
G majordomo@sunmanagers.ececs.uc.edu
E and in the BODY type:
R unsubscribe sun-managers
S Or
. unsubscribe sun-managers original@subscription.address
L To view an archive of this list please visit:
I http://www.latech.edu/sunman.html
S
T



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:15 CDT