... darkrealms ...

Forums before death by AOL, social media and spammers... "We can't have nice things"

comp.os.linux.misc

Linux-specific topics not covered by oth

135,536 messages

[ << oldest | < older | list | newer > | newest >> ]

Message 134,142 of 135,536

jayjwa to Lars Poulsen

Re: Cleaning up group identities

31 Dec 25 13:20:48

   From: jayjwa@atr2.ath.cx.invalid   
      
   Lars Poulsen  writes:   
      
   > I found that GID 51 and GID 486 were both in /etc/group as the   
   > group smmsp (sendmail sending profile?). And it turns out that   
   > there are a number of these:   
   >      mailnull 47 and 487   
   >      apache   48 and 489   
   >      smmsp    51 and 486   
   >      openvpn 994 and 982   
   >      ...   
   After anything I install, I check that the passwd/group files have not   
   been molested. I don't want my passwd/group looking like a phone book   
   for New York City. There's alot of fluff that gets installed. You can   
   run 'grpck' and 'pwck' to keep things tidy. One group name should not   
   have multiple GIDs IMHO, but who knows how it's being done now? I also   
   hate multiple nobody/nogroups and names for every single thing. One name   
   for ftp is fine. Adding more entries gives hackers more users to try to   
   breach a system with and someday you will forgot to lock one that you   
   didn't even know was added and now it's relaying spam (happened to a guy   
   on LQ).   
      
   > The scripts to do this will be a pain to write, so I wonder   
   > - if others have had the same problems,   
   > - what you did about it,   
   > - and are there scripts to automate the process?   
   My users/groups go 1000:1000 and above on Linux. Some other Unix use   
   100:100. Prevention is the best remedy. Of course, that won't help you now.   
      
   > Part of the immediate cleanup will be moving old user-ids out of   
   > the 500-999 range. When doing that, it would be good to also align   
   > the UIDs and GIDs of the users. (Which means setting aside a range   
   > groups like "family", "friends", "coworkers" that do not have a   
   > unique user associated.)   
   You can stay with lower ranges as long as you make sure nothing you   
   install from your distro messes with them (it likely will).   
      
   > And by the way, is there a canonical list of "preferred" values   
   > for system service UID and GID?   
   This is probably distro-specific. After any install that touches passwd,   
   I delete any "toor", "operator", 'haldaemon", or "wheel" I find.   
      
   --   
   PGP Key ID: 781C A3E2 C6ED 70A6 B356  7AF5 B510 542E D460 5CAE   
          "The Internet should always be the Wild West!"   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)

[ << oldest | < older | list | newer > | newest >> ]