Default users at install
Is it a good or bad idea to remove some of these users? As a beginner I'm not sure which are needed, but at the least for a remote server I don't why I'd need a user for games or for the print daemon.
4 Replies
@trazoi:
Is it a good or bad idea to remove some of these users? As a beginner I'm not sure which are needed, but at the least for a remote server I don't why I'd need a user for games or for the print daemon.
These users exist because a package installed on the server said it needed them. Whether any particular one will actually end up being used depends on what you do with the system, but just yanking things out that the OS put there itself is a very bad idea. Think about the tech support horror stories you hear about people who started deleting all those "extra" files they "never use" and wound up trashing their system.
And there's really no reason to remove them. They consume no resources beyond the few bytes they occupy in the passwd and related files, and they can't be logged into (unless you decide to enable them and set a password for them – don't do that), so there's no security risk.
@nknight:
And there's really no reason to remove them. They consume no resources beyond the few bytes they occupy in the passwd and related files, and they can't be logged into (unless you decide to enable them and set a password for them – don't do that), so there's no security risk.
Sweet, thanks. I wasn't sure if they had full user rights, passwords and all. If they're there effectively just as labels to quarantine file access then I won't worry about them. I was just a little bit surprised there were so many of them.;)
@trazoi:
Sweet, thanks. I wasn't sure if they had full user rights, passwords and all. If they're there effectively just as labels to quarantine file access then I won't worry about them.
You can verify that none of them have passwords by looking at the second field in /etc/shadow.
@man 5 shadow:If the password field contains some string that is not valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in, subject to pam(7).
A "valid result of crypt" looks something like $1$EPlC0/$zcsNziSht7Vt335LyraXZ/. Also you will often see in /etc/passwd such accounts having their shell set to /bin/false or /sbin/nologin which prevents a normal login. It is still possible (and common) for processes to run as these users. For example, postfix starts as root (it needs to in order to e.g. listen on port 25) but then drops most privileges and switches over to the postfix user. I don't know exactly what would happen if you removed the postfix user account, but I assume it isn't good…
Now I'm curious as to what the difference is between having a ! or a * as the password. The shadow man page doesn't say, and I'm sure that's a devil of a thing to try and Google for!
Pre-edit: Decided to search on a whim before pressing submit, and found out that * means nothing can match, while ! means the account is locked.