LISTSERV - HP3000-L Archives

HP3000-L Archives

May 1999, Week 1

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L May 1999, Week 1

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: default user on sys account
From:	Sletten Kenneth W KPWA <[log in to unmask]>
Reply To:	Sletten Kenneth W KPWA <[log in to unmask]>
Date:	Fri, 7 May 1999 13:31:52 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (55 lines)

Yesterday Gavin said:

> At first glance my gut reaction was that only MANAGER.SYS
> and OPERATOR.SYS and maybe one or two others are official
> (HP created) users in the SYS account, .....

> ..... On checking a :LISTUSER @.SYS of course I find that:

> NWIXUSER.SYS, PCUSER.SYS, RSBCMON.SYS, and
> SCOPE.SYS, exist on all the machines that I checked, ......
> It appears that one of these may have a default password ......  but
> the others have no password by default, and any one of them can
> be used to trivially leverage PM and SM capabilities once logged on, ..

> Creating lots of additional users for the SYS account is *not* a very
> good idea.

Gavin is right on....  but I will add a caution that I learned from
experience when I first stumbled on it a couple years back:

Be careful deleting "external" users on your machine (external
meaning HP or third-party created).  I had a number of users
that I knew we did not need anymore, so without thinking it
through very clearly I sez to myself: "Well, even though we
have VE-AUDIT it still wouldn't hurt to simplify our accounting
structure by purging them....   BZZZZST !!!....  Some months
later (meaning I failed in my MANAGER.SYS duty) I discovered:
THEY'RE BACK !!.....

Of course what happened is that in the interim I had done a
major system upgrade (5.0 to 5.5 or whatever).  And since I
had deleted some of the "standard" HP users, the update
process just re-created them...   WITH NO PASSWORDS !!!
~!@#$%&*-+=....     And it is not just HP that does this:  One
or more well-known third-parties who have some otherwise
excellent products have also been guilty of silently using the
"; CREATE" option in their install jobs to create new users with
AM and even new accounts WITH NO PASSWORDS !!...
The 3rd-party vendor that did this that I am aware of shall for
now remain nameless, since after I told them I believe they immediately
fixed the problem.

Solution I adopted:  Unless you are *very* sure that a particular
user / group / account will never be re-created by any standard
HP or vendor install or update job:   Leave the user name in
place;  but with the best eight-character alpha-numeric
password you can think of.  At least for the products we run, I
have yet to see an install or update job that will change an
EXISTING password on a user that is already in the directory...
I might add that if I ever find a software install / update job that
would silently do such a thing, that might be sufficient grounds
for excommunicating that product from my system......

Ken Sletten

ATOM RSS1 RSS2

RAVEN.UTC.EDU