tech-security: Re: Minor /etc/security problems

Subject: Re: Minor /etc/security problems
To: Curt Sampson <cjs@cynic.net>
From: Marc Baudoin <babafou@babafou.eu.org>
List: tech-security
Date: 12/31/1998 09:40:58
Curt Sampson <cjs@cynic.net> écrit :
> 
> Well, what is most important to me is just to have a standard set
> of UIDs and passwd entries for all this stuff. It doesn't have to
> be in the master.passwd file as shipped. What about reserving all
> IDs below 100, and shipping a separate file that contains master.passwd
> entries for these IDs?

Yes!  And don't forget the gids, which should follow the same
conventions.  Ideally an uid should have a corresponding gid with
the same number (which is not the case today for ingres, uid 267
gid 74, which I find awkward).

When installing a new NetBSD system, I always delete the falken
account because it annoys me with its 32766 uid.  Then I create
all my system accounts between 500 and 999 (for WWW, Majordomo
and so on) and normal users above 1000.  I chose 500-999 because
of the ingres account (uid 267) and dialer group (gid 117).

Reserving uids below 100 like you suggest is a good idea.  My
opinion on this is:

- real system accounts (like root, daemon, operator and bin),
  should have uid < 10 and a consistent corresponding gid (why
  operator is uid 2 and group 20, bin uid 3 and gid 7?  Some kind
  of historic reason?  Also why is there a nobody group with gid
  39 instead of 32766?)
- other non essential system accounts (games, mail, news, www,
  database, whatever) should have uid and gid >= 10 and < 100,
  which should leave enough room.

Of course, if we change some uids and gids like I suggest, it
could introduce some backward compatibility problems.  But NetBSD
1.4 will have so many new things and changes that it should be OK
if we change uids/gids at that accasion.

> However, I'd still prefer shipping them all in master.passwd to
> start with. The reasons for this are as follows:
> 
> 1. Experienced administrators, I should think, always edit
> master.passwd to their taste on system startup anyway, and thus
> can remove these IDs quite easily. (There are several files in this
> category; inetd.conf is another one that generally is going to be
> edited by any security-conscious admin.)

Sure.

> 3. I don't see any real security problems with having users in
> master.passwd that have the password set to * and /sbin/nologin as
> the shell.

Fine with me.  By the way, toor and operator have valid shells.
operator should have /sbin/nologin instead and, INHO, toor
shouldn't exist at all.

If we all agree, I can prepare sample passwd and group files and
post them here to discuss them (account names, uids, gids...).

-- 
Marc Baudoin           |   Institut Pasteur
<babafou@pasteur.fr>   |   Service d'informatique scientifique