It is a good idea to remove (or disable) some accounts on certain backroom
servers. At our site we delete these users

USERS="smtp nuucp listen nobody4"

And we disable (shell is /bin/true) + lock (shadow entry is *LK*) these
users (but watch out for a user requiring cron).

USERS="daemon bin sys adm lp uucp nuucp listen nobody noaccess nobody4 smtp"

There are lots of packages we remove (and their contents go with them). As
for the files associated with the users you mention. I suspect there are
some problems. You should look at your package inventory. Eg.

[3:45pm boss] grep ' smmsp ' /var/sadm/install/contents
/usr/lib/sendmail f none 2555 root smmsp 1020552 31064 1158775758 SUNWsndmu
/var/spool/clientmqueue d none 0770 smmsp smmsp SUNWsndmr

And you should be thinking more about removing packages, not the files
within packages. E.g.,

# [12:52pm ist] pkginfo | grep -i uucp
# system SUNWbnur Networking UUCP Utilities, (Root)
# system SUNWbnuu Networking UUCP Utilities, (Usr)

Remove those packages and the files they contain will go. On the userid's
you mention.

--- disclaimer: This is my best guest, don't sue me for work required to
restore your system.

1) lp is required for print services you offer and print services you use.
If you're not using any then you can get rid of the associated packages.

2) smmsp is required for sendmail queue, that might be very dangerous to
remove.

3) www ... what packages is that associated with?

4) I certainly recommend you get rid of packages owned by users uucp and
nuucp -- that's ancient history stuff that's seldom required.

We have some work to test, harden, and monitor Solaris 10 systems given an
established policy (along the lines of what we did for earlier versions
described here http://ist.uwaterloo.ca/security/howto/2000-09-19/) which we
could share. We have not got the documentation in any order but the many
scriptlets that address issues like the above are in good shape. And we
have working policies that we enforce on our servers. If anyone is
interested -- contact me off list.

I am, Reg Quinton <***@ist.uwaterloo.ca>
Senior Technologist, Security
Information Systems and Technology
University of Waterloo, 200 University Ave W
Waterloo, Ontario N2L 3G1 Canada
+1 519 888-4567x6070

Problem with deleting these accounts is that some forsaken Solaris
activities, such as patching, still might need them. I usually leave
the accounts and put this shell on them: /sbin/noshell

-----Original Message-----
From: ***@securityfocus.com [mailto:***@securityfocus.com]
On Behalf Of ***@gmail.com
Sent: Thursday, November 02, 2006 12:47 PM
To: focus-***@securityfocus.com
Subject: Solaris 10 necessary file question

We removed the following default accounts in Solaris 10: lp, smmsp, www,
uucp, nuccp, however the files owned by these accounts still exist. I
would like to delete these files, but the administrator is not very
familiar with Solaris and doesn't know if the O/S needs the associated
files or not. Does anyone know if those files are still in use even
though the file's owner accounts have been deleted?

Thank You in Advance,
Jeff

If you use Solaris10 as an print server lp could be used.
The transfer method uucp (unic to unix copy) is an old method for
transfering files but not used in modern enviroments. The Accounts uucp
and nuucp is
for using an extra account for this transfer methode.

In the most systems the user www or wwwrun are used for the Webserver -
for instance apache.
If there is no webserver running - the account can be deleted.

Regards
Peter

You're better off removing the packages. By just removing the accounts and files, the next time you apply a patch that touches those packages, the files will be recreated -- and you won't even know about it. Or you can remove the files every time you apply patches. If you have a lot of hosts (my team manages about 250 Sun boxes), you want to keep the amount of repetitive work to a minimum, just remove the packages, better yet set up your jumpstart scripts to not install them in the first place.
--
Cheers,
Cy Schubert <***@komquats.com>
Web: http://www.komquats.com and http://www.bcbodybuilder.com
FreeBSD UNIX: <***@FreeBSD.org> Web: http://www.FreeBSD.org
BC Government: <***@gov.bc.ca>

"Lift long enough and I believe arrogance is replaced by
humility and fear by courage and selfishness by generosity
and rudeness by compassion and caring."
-- Dave Draper

If you are running sendmail I would be careful about doing
away with smmsp. The others are not necessary but really
don't represent much in the way of diskspace usage or system
resources.

You can delete those files, but don't expect printing (lp), email
(smmsp), the webserver (www) or unix-to-unix copy (uucp) to work.

Though I doubt you'll be using uucp, and printing isn't all that common,
you would have to scratch your head about the email functionality. The
smmsp user is (off the top of my head) used for the queueing of outgoing
mail and local (to local) mail. I'm not sure the www account owns any
files on a default install, but if it does, I expect them to be part of
a web administration thingy. If you install or need Apache at any point,
make sure it is configured to run using the nobody user, or keep the www
user.

I'm drawing a blank on nuccp though. I'll leave the searching of
manpages for that one to you. =)

Cheers,

DocWilco
www,
though
This e-mail message and its attachments are subject to the disclaimer published at the following website of Casema: http://www.casema.nl/disclaimer

Hi Jeff,

Have a look at "enhancements to the passwd(1)":
http://blogs.sun.com/gbrunett/entry/managing_non_login_and_locked

/Magnus

" but the administrator is not very familiar with Solaris and doesn't"

Bad feeling #1 :) Unix, unlike windows, will let you delete anything you
want and not warn or stop you. (try a rm -r * from / as user root :) )
It will then crash without a care. The point, if you do not really know
the OS, then do not try to manually delete things. Delete the package.
Unix will even be nice enough to tell you if anything else depends on
that package.

Lp is for the printing package/system. Are you sure you will never need
printing services?

Are you just wanting a more secure box? The two easy solutions:

1) Lock the account.
2) If you do not want to lock the account then change the shell to point
to /dev/null.

You can change the sendmail user to be anything. (in the sendmail.cf,
user to run as setting) Just remove the package if you do not want it.


Again, if your running an up-to-date sendmail, you can secure it. It
makes life very each to get alerts/logs from the host to your email
account. (unless you like connecting to the box all the time to check
logs) you also may need to check all of your config files. Some may want
to send an email to root if there is a problem/trap.


" Does anyone know if those files are still in use even though the
file's owner accounts have been deleted?"

Bad feeling #2 :)
That sounds like a very beginner type of question. In Unix, if you
delete the user or group, the file owner or group will change to the
number of the uid or group that the account was.

Ie: user - joeshmo uid 2000. If you delete joeshmo then all files that
he owned will now show 2000 as the owner.

Why is this bad -
1) If you create a new user sometime later and give them the same uid,
then they own that file. (Which you may or may not want)

2) It becomes harder to search for the file(s) as you need to search by
number and not a name.

3) depending on the rights, you may think the file is gone, when it is
still there.

4) It is sloppy admin'ing. Auditors will have a field day with it.


You really should learn the OS first, before you delete/remove things
that your not sure of.

Jeff


-----Original Message-----
From: ***@securityfocus.com [mailto:***@securityfocus.com]
On Behalf Of Stephen Hauskins
Sent: Friday, November 03, 2006 10:46 AM
To: ***@gmail.com
Cc: focus-***@securityfocus.com; focus-sun-return-***@securityfocus.com
Subject: Re: Solaris 10 necessary file question



If you are running sendmail I would be careful about doing
away with smmsp. The others are not necessary but really
don't represent much in the way of diskspace usage or system
resources.
www, uucp, nuccp, however the files owned by these accounts still exist.
I would like to delete these files, but the administrator is not very
familiar with Solaris and doesn't know if the O/S needs the associated
files or not. Does anyone know if those files are still in use even
though the file's owner accounts have been deleted?
-----------------------------------------
This e-mail message is private and may contain confidential or
privileged information.

As others said: remove packages not users! You might get more insecure
if you remove users that are used for priviliege separation. If there is
no smmsp user, will sendmail then run as root? Same for apache if there
is no www user?