Prev: INDEX build failed for 6.x
Next: INDEX build failed for 6.x
From: RW on 22 May 2010 18:54
On Sat, 22 May 2010 11:42:53 -0400
jhell <jhell(a)dataix.net> wrote:


> >>>> Having unused logins on a system is bad!
> >>>
> >>> Why?
> >>
> >> For one example:
> >> This opens up a point of possible access to the system in which its
> >> integrity could be jeopardized. What all the implications are of
> >> this is out of scope for this thread.
> >
> > These are unprivileged accounts without passwords - you need root
> > privileges to use them. Nothing is going to be running under them or
> > they wouldn't be candidates for removal in the first place.
>
> Are we arguing the point that these should just be left or can we come
> to a point like I stated in the previous email that you so gracefully
> chopped out that stated: If they are to be left in the system a admin
> should be notified or they should be automatically removed upon
> package removal.

If there are no security concerns, the rest is just a bike shed


> This is more of a best practices case than what the implications of
> leaving users in the master.passwd are.
>

Why is it best practice? Why add extra complexity to solve a problem
that doesn't actually exist?
_______________________________________________
freebsd-ports(a)freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscribe(a)freebsd.org"

From: Anonymous on 22 May 2010 19:39
RW <rwmaillists(a)googlemail.com> writes:

> On Sat, 22 May 2010 11:42:53 -0400
> jhell <jhell(a)dataix.net> wrote:
>> This is more of a best practices case than what the implications of
>> leaving users in the master.passwd are.
>
> Why is it best practice? Why add extra complexity to solve a problem
> that doesn't actually exist?

Such unused entries in passwd add clutter. It in turn makes managing
users more complex. You have to remember which users are created by you
and which ones are created by ports. So, if you change home dir of some
user there may be undesireble consequences. And only then security
becomes a concern because port app may be run with privilegies that are
higher than intended.
_______________________________________________
freebsd-ports(a)freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscribe(a)freebsd.org"

From: RW on 22 May 2010 21:11
On Sun, 23 May 2010 03:39:53 +0400
Anonymous <swell.k(a)gmail.com> wrote:

> RW <rwmaillists(a)googlemail.com> writes:
>
> > On Sat, 22 May 2010 11:42:53 -0400
> > jhell <jhell(a)dataix.net> wrote:
> >> This is more of a best practices case than what the implications of
> >> leaving users in the master.passwd are.
> >
> > Why is it best practice? Why add extra complexity to solve a problem
> > that doesn't actually exist?
>
> Such unused entries in passwd add clutter. It in turn makes managing
> users more complex. You have to remember which users are created by
> you and which ones are created by ports.

You don't have to remember, just look at the UID/GID values, ordinary
users start at 1001, ports create UIDs < 1000.

The base system alone creates 18 such users, if you have problems with
this kind of thing a few stale uids are the least of your problems.

> So, if you change home dir
> of some user there may be undesireble consequences. And only then
> security becomes a concern because port app may be run with
> privilegies that are higher than intended.

This appears to refer to an admin confusing a normal user with a
system user that's still in use by a port, so I don't see the
relevance.
_______________________________________________
freebsd-ports(a)freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscribe(a)freebsd.org"

From: Ade Lovett on 22 May 2010 21:50

On May 22, 2010, at 16:39 , Anonymous wrote:
>
> Such unused entries in passwd add clutter. It in turn makes managing
> users more complex. You have to remember which users are created by you
> and which ones are created by ports.

Irrespective of the UID/GID stuff mentioned elsewhere, merely go through the ports tree and add (or append) "(created by ports)" to the GECOS field of any such created users.

I'd like my shed to be white, for some definition of the sixty bazillion different "whites" out there, paint-wise. Meh. Hate painting.

-aDe

_______________________________________________
freebsd-ports(a)freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscribe(a)freebsd.org"

From: jhell on 22 May 2010 23:47
On 05/22/2010 21:50, Ade Lovett wrote:
>
> On May 22, 2010, at 16:39 , Anonymous wrote:
>>
>> Such unused entries in passwd add clutter. It in turn makes managing
>> users more complex. You have to remember which users are created by you
>> and which ones are created by ports.
>
> Irrespective of the UID/GID stuff mentioned elsewhere, merely go through the ports tree and add (or append) "(created by ports)" to the GECOS field of any such created users.
>

I do like this idea, but with respects to such; storing when it was
created and what created it like "www/apache22" might be a little more
useful to narrow these down.

But if a port can install a user there is no reason that it can not
uninstall a user via pw(8) that is available from bsd.commands.mk after
checking a recorded md5(1) sum that it could create upon installation
for the output of pw usershow/groupshow UID/GID.

--

jhell
_______________________________________________
freebsd-ports(a)freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscribe(a)freebsd.org"

First  |  Prev  |  Next  |  Last
Pages: 1 2 3 4 5
Prev: INDEX build failed for 6.x
Next: INDEX build failed for 6.x