Originally posted by unSpawn
as the name suggests i am using the username for sort of temp works
Unprivileged account names or it's tasks don't matter:
anyone who wants to login to his account may still use su or another vc
The sting is in the word may.You're looking for justification for having autologin by looking at people's expected behaviour while you should look at the risks. My example was only to show you that autologin should only be done if you're the ONLY one EVER to have access to the box. ...and probably not even then, because you're degrading the security posture of your box.
I should have made this clear from the start, instead of trying to make you think about the risks.
How about me trying to use LD_SO_PRELOAD or link something and trick you into executing something that will give me a backdoor later on? Or exploiting a weakness in one of the running (network facing) daemons? Or maybe bruteforce my way into an account.
Fact is, if you're NOT at the console, what USE is it opening the account anyway, and IF you're at the account then why not do it manually. If you want certain tasks to be done automagically, you could for instance easily set up some cron jobs.
First about LD_SO_PRELOAD:Well how can anyone set LD_SO_PRELOAD without suid/sgid
Well using execlp has its disadvantages as compared to exec(From man pages execlp(3) execve(3) ld.so(8))
But security is not compromised
I admit there may be weakness in some deamons.
Bruteforce do not seem logical:With MD5 there is less risk of bruteforce crack(of course ,with enough time(?!) anyone can bruteforce in)
But anyway thanks for your excellent reply
And I think I will follow as you say!