LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 10-19-2005, 10:30 PM   #1
wangjinyi
Member
 
Registered: Sep 2004
Posts: 60

Rep: Reputation: 15
can i delete all the users except......


can i delete all the users except for root.
so many hackers there, it is too boring.
i want to make all others users unavailable.

how?

delete from file passwd directly?

i am crazy.
 
Old 10-19-2005, 11:34 PM   #2
tkedwards
Senior Member
 
Registered: Aug 2004
Location: Munich, Germany
Distribution: Opensuse 11.2
Posts: 1,549

Rep: Reputation: 49
Quote:
can i delete all the users except for root.
Yes

Quote:
delete from file passwd directly?
No. Use the userdel command (as root).
 
Old 10-20-2005, 09:51 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,518
Blog Entries: 51

Rep: Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598
quote:
can i delete all the users except for root.

Yes


Deleting all but the root user is like returning to the past millennium and Wintendo '98-like game consoles, next to that this means allowing root to log in and all tasks will be performed by root since there are no unpriv users. All in all not proper systems administration unless you remake accounts between 1 and 500 (on a std WS/light server).

If you got a cracker (not hacker) problem it's best you clean up the box and reinstall from scratch and then harden it properly. Please ccheck out the LQ FAQ: Security references for more info.

Last edited by unSpawn; 10-20-2005 at 11:05 PM.
 
Old 10-20-2005, 10:08 PM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, FreeBSD
Posts: 3,925
Blog Entries: 5

Rep: Reputation: Disabled
Deleting everyone but root will turn it into a Linspire box. This is not good.
 
Old 10-20-2005, 11:22 PM   #5
reddazz
Guru
 
Registered: Nov 2003
Location: N. E. England
Distribution: Fedora, CentOS, Debian
Posts: 16,298

Rep: Reputation: 73
If you delete all the users you created then thats fine but why do you want o run as root when its a big security risk. If you delete any "system" users i.e. those created by Linux, you may end up with a system thats exhibits wierd behaviour or one that won't work at all.
 
Old 10-22-2005, 04:36 AM   #6
tkedwards
Senior Member
 
Registered: Aug 2004
Location: Munich, Germany
Distribution: Opensuse 11.2
Posts: 1,549

Rep: Reputation: 49
Quote:
Deleting all but the root user is like returning to the past millennium and Wintendo '98-like game consoles
Not necessarily: on our router/firewall Linux boxes at work we only have the root user and no other non-system users. The only people who will ever login to those boxes are system admins and the only reason you'd ever login is to change the system configuration, which requires root access anyway.
 
Old 10-22-2005, 06:25 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,518
Blog Entries: 51

Rep: Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598
Not necessarily: on our router/firewall Linux boxes at work we only have the root user and no other non-system users.
I said: "no users except root." Wetware is prone to making mistakes. Making mistakes leads to anger, and anger leads to the Dark Side.
Seriously, the point is that if you have no unpriv users you *will* log in as root, and *always* perform tasks as root and that is bad karma. And you know we weren't talking about that kind of network devices, and even though I can think of some minor mitigating circumstances like ssh'ing in over an OOB network, it still goes against basic security principles. If this was done by design, then I argue the design is flawed. If this was configured by the admins then I wouldn't call 'em that.


The only people who will ever login to those boxes are system admins
That is besides the point. Role is defined by authorisation granted *on* the box. That way one can be admin in one segment of a network and a luser everywhere else. Separation of responsabilities and all that.


and the only reason you'd ever login is to change the system configuration, which requires root access anyway.
That's reasoning the other way around and doesn't sound convincing to me.

Stupid example. Say the admin group is busy so you give someone else the simple task of manually checking software versions. This would then mean you'd have to supply all the root passwords for all those devices while this task could have been performed from an unpriv user account using sudo.
 
Old 10-22-2005, 07:30 PM   #8
tkedwards
Senior Member
 
Registered: Aug 2004
Location: Munich, Germany
Distribution: Opensuse 11.2
Posts: 1,549

Rep: Reputation: 49
Quote:
Seriously, the point is that if you have no unpriv users you *will* log in as root, and *always* perform tasks as root and that is bad karma
Yeah but with these firewall/router machines even if we logged in as an unpriv user all our commands would be preceded by 'sudo' anyway - there's nothing to do on those boxes as an unpriv user. You can just as easily make a mistake with sudo as with being logged in as root.

Quote:
And you know we weren't talking about that kind of network devices
THe OP didn't say anything about what kind of setup it was. From what he said about hackers it could just as easily have been a firewall/router setup like ours that I mentioned. I wasn't disagreeing with what you said either - I agree completely for any workstation, desktop and most servers that you shouldn't login as root.

Quote:
If this was done by design, then I argue the design is flawed. If this was configured by the admins then I wouldn't call 'em that.
Well thanks, but we know perfectly well what we're doing.

Quote:
That is besides the point. Role is defined by authorisation granted *on* the box. That way one can be admin in one segment of a network and a luser everywhere else. Separation of responsabilities and all that.
I'm not exactly sure what you're saying here. The only people who know the root password are the systems admins. We're only a small company - there's me full-time and one other part-time sysadmin so if you're an admin you have root access to any computer on the network, there is no need for 'seperation' because mostly it wouldn't really work unless I were to suddenly develop multiple-personality disorder

Quote:
Stupid example. Say the admin group is busy so you give someone else the simple task of manually checking software versions. This would then mean you'd have to supply all the root passwords for all those devices while this task could have been performed from an unpriv user account using sudo.
There is no one else in the company who can login to the servers besides us admins. If there was anything urgent needing doing then we do it - that's out job. There is no situation in the way our company runs where we'd need to give some other staff member access to those boxes. Even if there was it takes about 20 seconds to run useradd and create an unpriv account for that person.

Last edited by tkedwards; 10-22-2005 at 07:33 PM.
 
Old 10-22-2005, 07:44 PM   #9
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, FreeBSD
Posts: 3,925
Blog Entries: 5

Rep: Reputation: Disabled
tkedwards,

If nothing else, you should be locking down remote access (e.g. ssh) to those machines to a non-root account. Then once you're in you can su.

Sounds like these are your operating procedures, though, and even if I do not think they are very wise, I doubt commentary from a strange person on a web forum is going to change your mind.
 
Old 10-23-2005, 10:33 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,518
Blog Entries: 51

Rep: Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598
Yeah but with these firewall/router machines even if we logged in as an unpriv user
If that wasn't a problem itself we wouldn't be trying to dodge sniffers and we would all still be using r* utilities, would we?..


You can just as easily make a mistake with sudo as with being logged in as root.
True. Still (if configured well) sudo can restrict more like not allowing wildcards for instance and so minimise risks (a bit).


Well thanks, but we know perfectly well what we're doing. (..) I'm not exactly sure what you're saying here.
NP. I probably just have different experiences working with admin herds and colo farms, that's all. Anyway. Sometimes it (apparently) isn't that easy to try and explain things clearly.
 
Old 10-23-2005, 09:04 PM   #11
tkedwards
Senior Member
 
Registered: Aug 2004
Location: Munich, Germany
Distribution: Opensuse 11.2
Posts: 1,549

Rep: Reputation: 49
Quote:
If that wasn't a problem itself we wouldn't be trying to dodge sniffers and we would all still be using r* utilities, would we?..
I don't understand what you're saying here. We dodge sniffers by using encrypted connections, ie. ssh instead of rsh, this has nothing to do with wether you login as root or an unpriv user. Having only root on this box hasn't compromised the security benefits of ssh for it.

Anyway we only allow ssh in from one or 2 specific IPs - our other site and my home computer so we're pretty safe from password sniffing attacks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Allow two users write access, but not delete jimieee Linux - General 4 03-29-2005 08:37 AM
vsftpd: allow users to write and delete files me3 Linux - Software 4 03-04-2005 07:22 PM
how can i veiw and delete users citrus Linux - Newbie 2 05-21-2004 05:15 PM
how to delete users? centr0 Linux - Newbie 11 03-10-2003 12:22 PM
how do i delete users? ShawnD Linux - General 9 07-22-2002 10:06 AM


All times are GMT -5. The time now is 11:01 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration