Blue Light
Space shortcuts
Child pages
  • Users and groups

Versions Compared

Old Version 4

changes.mady.by.user Charles

Saved on

compared with

New Version 5

changes.mady.by.user Charles

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Files-based

This is for users and groups that are defined by /etc/passwd and /etc/group et al as opposed to LDAP-based users.

Group creation

TODO: TBC

Each user's primary group must exist before the user is created unless --user-group is specified on the useradd command.

Blue Light user bl

Blue Light's standard Linux system includes user bl.

bl receives a copy of all email sent to root. This can be useful when investigating problems.

bl can use sudo to assume root privileges.  This is a security weakness because bl's passwords are widely known.  It must not be configured on computers with a public IP address.  Its use on other computers is entrenched.  As Andrey commented in FINANCESRV-227 about disabling this facility "Not okay for regular machines, since those often need to be accessed physically without difficulties".

User creation

This varies, depending on the type of user.  Maybe the user will be a full Linux user; maybe the user is only required for use with samba.

...

useradd --create-home --groups 'sb-users' --home-dir /mnt/archive/private/users/$u/ --user-group $u

User disabling and removal

Reference: http://www.howtoforge.com/linux_remove_users

Everything belonging to a user should be removed before the user is removed so a three stage process is required: disabling, artifact removal and finally user removal.

Disable the user

After this is done the user cannot create any further artifacts.  In  the examples below $u is the user name.

...

Remove or comment out any entries for the user in /etc/sudoers:

visudo

Disable associated authentications

Remove the user's membership of secondary groups:

...

Change any common passwords known by the user, for example: shared KeePass, common MySQL and postgres users, root ...

Remove the user's artifacts

Unless storage space is short, better to preserve the user's home directory (in case something is needed later or for audit) but render it inaccessible:

...

In case the user has a dedicated group with the same name:

find / -group $u

De-configure the user

Remove references to the user from miscellaneous configurations: /etc/samba/smb.conf(.source),

Remove the user and any dedicated group

There may be very little benefit from doing this step.

...

In case the user has a dedicated group with the same name:

delgroup $u

LDAP-based

TODO: TBC