Deleted default system users

rootaccess · 06-27-2012, 04:59 AM

I read a security article that mentioned to remove all default users, so I went ahead and removed these users:

bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0

perator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin

Is there anything wrong with doing that?
I saved my passwd and shadow files but I guess I would have to add the users back in somehow if I needed. How would I do that?
I dont seem to have an issue so I'm not sure if these users are really needed but then I read that you shouldn't remove system users.

Which one is it?

Thanks,
Shawn

onebuck · 06-27-2012, 07:32 AM

Hi,

Please share the article link?

tronayne · 06-27-2012, 07:51 AM

Quote:

Originally Posted by rootaccess

Is there anything wrong with doing that?

Yes. Those accounts exist for a reason, they do not have home directories and they do not have passwords (you cannot log in to those accounts from a login prompt). They are needed for a number of system operations.

Quote:

I saved my passwd and shadow files but I guess I would have to add the users back in somehow if I needed. How would I do that?

If you saved the /etc/passwd and /etc/shadow files before removing the accounts, you should copy the saved files back to where they belong; you will need to be logged in as root (or su - or sudo):

Code:

cp passwd.backup /etc/passwd
cp shadow.backup /etc/shadow

Then execute the following

Code:

cd /etc/
chown root.root passwd shadow
chmod 644 passwd
chmod 600 shadow

Quote:

I dont seem to have an issue so I'm not sure if these users are really needed but then I read that you shouldn't remove system users.
[

Yes, they're needed. Yes you should not mess with them. Yes you will have an issue -- as in real problems -- if you don't put 'em back the way they're supposed to be.

Hope this helps some.

rootaccess · 06-27-2012, 12:17 PM

Quote:

Originally Posted by tronayne

Yes. Those accounts exist for a reason, they do not have home directories and they do not have passwords (you cannot log in to those accounts from a login prompt). They are needed for a number of system operations.

If you saved the /etc/passwd and /etc/shadow files before removing the accounts, you should copy the saved files back to where they belong; you will need to be logged in as root (or su - or sudo):

Code:

cp passwd.backup /etc/passwd
cp shadow.backup /etc/shadow

Then execute the following

Code:

cd /etc/
chown root.root passwd shadow
chmod 644 passwd
chmod 600 shadow

Yes, they're needed. Yes you should not mess with them. Yes you will have an issue -- as in real problems -- if you don't put 'em back the way they're supposed to be.

Hope this helps some.

Thanks. I had a feeling I could just copy over the passwd and shadow files, thats why I made the backup. I just wanted to make sure I didn't have to actually create the users without home directories and passwords.

The article is here
http://www.faqs.org/docs/gazette/tips.html

I'm aware its a bit old but still found it a bit useful

rootaccess · 06-27-2012, 12:23 PM

I also wanted to mention that although my passwd file was already set to 644, my shadow file was initially set to just 000. Literally no permissions. I'm running CentOS

And on another note, I appended the following line in /etc/inittab to prompt for a login and password for single user mode but it never seemed to work.

~~:S:wait:/sbin/sulogin