Subject: Re: insecurity checking question
To: None <netbsd-help@netbsd.org>
From: Jonathan A. Kollasch <jakollasch@mcleodusa.net>
List: netbsd-help
Date: 10/13/2004 17:11:06
On Sunday, October 10, 2004 11:19 am, Water NB wrote:
> root receive insecurity checking report everyday as below
> ===========================================
> Checking the /etc/master.passwd file:
> Login daemon is off but still has a valid shell (/sbin/nologin)
> Login operator is off but still has a valid shell (/sbin/nologin)
> Login bin is off but still has a valid shell (/sbin/nologin)
> Login news is off but still has a valid shell (/sbin/nologin)
> Login games is off but still has a valid shell (/sbin/nologin)
> Login postfix is off but still has a valid shell (/sbin/nologin)
> Login named is off but still has a valid shell (/sbin/nologin)
> Login ntpd is off but still has a valid shell (/sbin/nologin)
> Login sshd is off but still has a valid shell (/sbin/nologin)
> Login nobody is off but still has a valid shell (/sbin/nologin)
> Login senbowang has more than 8 characters.
> Login xuewendong has more than 8 characters.
> ===========================================
>
> I have 2 questions:
> Q1: Why does it report some users has a valid shell. Can I avoid these
> messages.
> Q2: User account name length. How can enlarge it?
There actually is a minor security issue here.
Something about programs only looking at the first 8 chars of a username
(search the archives of netbsd-help and netbsd-users; it has been mentioned
before); be sure all usernames on this machine are unique within the first 8
characters. (there still might be real security holes (i.e. buffer overflows)
though)
Jonathan Kollasch