19.4 Managing Dormant AccountsIf a user is going to be gone for an extended period of time, you may wish to consider preventing direct logins to the user 's account until her return. This assures that an intruder won't use the person's account in her absence. You may also wish to disable accounts that are seldom used, enabling them only as needed. If you think that you do not need to be concerned with accounts belonging to people who are traveling or that are seldom used, think again: many security breaks have resulted from the penetration of such accounts. There are many reasons:
There are two simple ways to prevent logins to an account:
Actually, you may want to consider doing both. 19.4.1 Disabling an Account by Changing the Account's PasswordYou can prevent logins to a user's account by changing his password to something he doesn't know. Remember: you must be the superuser to change another user's password. For example, you can change mary 's password simply by typing the following: # passwd mary New password: dis1296 Retype new password: dis1296 Because you are the superuser, you won't be prompted for the user's old password. This approach causes the operating system to forget the user's old password and install the new one. Presumably, when the proper user of the account finds herself unable to log in, she will contact you and arrange to have the password changed to something else. Alternatively, you can prevent logins to an account by inserting an asterisk in the password field of the user's account. For example, consider a sample /etc/passwd entry for mary : mary:fdfdi3k1j1234:105:100:Mary Sue Lewis:/u/mary:/bin/csh To prevent logins to Mary's account, change the password field to look like this: mary:*fdfdi3k1j1234:105:100:Mary Sue Lewis:/u/mary:/bin/csh Mary won't be able to use her account until you remove the asterisk. When you remove it, she will have her original password back. If you use shadow passwords on your system, be sure that you are editing the password file that contains them, and not /etc/passwd . You can tell that you are using shadow passwords if the password field in /etc/passwd is blank or contains a symbol such as x or # for every password, instead of containing regular encrypted passwords. Some Unix versions require that you use a special command to edit the password file. This command ensures that two people are not editing the file at the same time, and also rebuilds system databases if necessary. On Berkeley-derived systems, the command is called vipw . Under some versions of Unix, you can accomplish the same thing as adding an asterisk by using the -l option to the passwd command: # passwd -l mary Changing an account's password does not completely disable the account:
Interactive access using the first two mechanisms can be disabled by changing the user's login shell to /bin/false . Automatic jobs need to be manually hunted down and terminated . 19.4.2 Changing the Account's Login ShellAnother way to prevent direct logins to an account is to change the account's login shell so that instead of letting the user type commands, the system simply prints an informative message and exits. This change effectively disables the account. For example, you might change the line in /etc/passwd for the mary account from this: mary:fdfdi3k1j$:105:100:Mary Sue Lewis:/u/mary:/bin/csh to this: mary:fdfdi3k1j$:105:100:Mary Sue Lewis:/u/mary:/etc/disabled You would then create a shell script called /etc/disabled : #!/bin/sh /bin/echo Your account has been disabled because you seem to have /bin/echo forgotten about it. If you want your account back, please /bin/echo call Jay at 301-555-1234. /bin/sleep 10 When Mary tries to log in, this is what she will see: bigblu login: mary password: mary1234 Last login: Sun Jan 20 12:10:08 on ttyd3 Whammix V17.1 ready to go! Your account has been disabled because you seem to have forgotten about it. If you want your account back, please call Jay at 301-555-1234. bigblu login:
19.4.3 Finding Dormant AccountsAccounts that haven't been used for an extended period of time are a potential security problem. They may belong to someone who has left or is on extended leave, and therefore the account is unwatched. If the account is broken into or the files are otherwise tampered with, the legitimate user might not notice for some time. If the user has left, he may end up at a competing firm and the old, dormant account may present a terrible temptation for mischief. Therefore, disabling dormant accounts is good policy. [7]
One way to disable accounts automatically when they become dormant (according to your definition of dormant) is to set a dormancy threshold on the account. Many versions of Unix allow this to be done with the -f option to the usermod command: # usermod -f 10 spaf In this example, user spaf will have his account locked if a login is not made at least once during any 10-day period. (Note that having an active session continue operation during this interval is not sufficient ”the option requires a login.) If your version of Unix does not have a usermod command, you will need to find another way to identify dormant accounts. The following simple shell script, called not-this-month , uses the last command to produce a list of the users who haven't logged in during the current month. Run it the last day of the month to produce a list of accounts that you may wish to disable. #!/bin/sh # # not-this-month: # Gives a list of users who have not logged in this month # PATH=/bin:/usr/bin;export PATH umask 077 mkdir /tmp/NTM exit 1 chmod 700 /tmp/NTM THIS_MONTH=date awk '{print }' last grep $THIS_MONTH awk '{print }' sort -u > /tmp/NTM/users1$$ cat /etc/passwd awk -F: '{print }' sort -u > /tmp/NTM/users2$$ comm -13 /tmp/NTM/users[12]$$ rm -r /tmp/NTM The following explains the details of this shell script:
This shell script assumes that the database used by the last program has been kept for at least one month. After you have determined which accounts have not been used recently, consider disabling them or contacting their owners . Of course, do not disable accounts such as root , bin , uucp , and news that are used for administrative purposes and system functions. Also remember that users who access their account only with the rsh (the remote shell command) or su commands won't show up with the last command. If these accesses are logged by syslog on your system, you can write another script to look for them (or their absence).
|