3

I'm curious as to whether, and if so why, Unix and Linux distributions still ship with default accounts shutdown, halt and sync. Specifically (from a Red Hat document),

sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt

From a historical perspective, these accounts were set up so that one could log in at the physical console with these accounts' credentials (traditionally they shipped with a null password, so all you needed was to enter the user name) and properly shut down a system without having to provide the root password.

This could be useful in the case of a desktop workstation, but is questionable in the case of a server system. I don't recall there ever being any protections against logging in from remote terminals or the Internet with these accounts (unlike root itself) and shutting down the system, which creates an extreme risk of a DoS attack. Therefore, best practices have dictated for years that these accounts be removed on sight, or at the very least, locked like all other default accounts to prevent use. As default accounts go, these are probably the most dangerous.

So I'm wondering if the OS vendors have finally gotten the clue not to ship systems with these rather egregious defaults, or if there is still any purpose for having them around?

Mike McManus
  • 1,415
  • 10
  • 17
  • Yes they still ship. This answer my help explain why http://unix.stackexchange.com/questions/197124/why-are-there-many-accounts-im-the-only-user – zedman9991 Apr 22 '16 at 18:28
  • I was speaking specifically of these three users which run their eponymous commands as a shell, and I only see "sync" on the linked article (which is far more benign compared to "halt" and "shutdown"). So it appears "sync" still ships but the other two don't. – Mike McManus Apr 22 '16 at 21:43
  • 1
    See http://askubuntu.com/questions/137483/how-to-create-a-shutdown-user-or-shutdown-account for usage example. It can be very useful to provide an account for solely shutting down or haulting a server. Let's say that I have a sysadmin that shouldn't have access to the contents of the server, but needs to be able to shutdown the server in an emergency. That's when this type of account shines. Do most people need it? No, but since when did most people need sendmail? How long has that been floating around on default installs... – Daisetsu Apr 23 '16 at 06:51

2 Answers2

2

if the OS vendors have finally gotten the clue not to ship systems with these rather egregious defaults

In all modern OSes, these accounts ship disabled, if at all. The presence of these accounts is not an egregious default. They're only a risk if you enable them in some way, for example by setting up a password (which only root can do).

Removing the account, or declaring it as locked or expired, protects against the risk of an administrator accidentally setting up a password for the account. As risks go, there are bigger ones.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
  • Thanks. That hasn't been my experience particularly with Red Hat, and as I noted, traditionally these accounts shipped with a null (blank) password to facilitate their use. Glad to see that has changed. – Mike McManus Jun 03 '19 at 15:05
  • 1
    @MikeMcManus With a null password? What version of RHEL had this? I haven't administered a RH system in years, but I don't remember ever seeing this. – Gilles 'SO- stop being evil' Jun 03 '19 at 16:56
  • Traditionally HP-UX and Solaris systems did exactly that when I was first getting started in system administration. The rationale given is that someone working at the system console may need to perform these operations without having access to any passwords. I'm not sure now whether Red Hat joined in the fun or disabled the accounts from day one. – Mike McManus Aug 26 '19 at 21:36
  • @MikeMcManus IIRC in RH4 (not RHEL4) it did include them in `/etc/passwd`, but with login disabled by setting the password field to `*`. I don't think RH ever enabled them by default. Linux started out as relatively secure compared to the commercial unices of the time. In any case my answer is about modern OSes, not about that SunOS system that hasn't been patched since 1990 but is kept because it runs a business-critical system and the hardware just won't die. – Gilles 'SO- stop being evil' Aug 26 '19 at 21:54
1

For the benefit of those who do not need the functionality of these open accounts and wish to tighten up their systems (particularly Red Hat which ships with them by default), my organization has made it a standard to expire these accounts with the command

chage -E 1 sync

(or shutdown or halt). This way the account entry in /etc/passwd remains intact, but the account itself can no longer be used. I'm not certain why we don't just remove them entirely, but it probably has something to do with the patching system and file integrity management.

Mike McManus
  • 1,415
  • 10
  • 17