My original question was how to remove an account from the system,
as "userdel" just changes it to retired:
# grep barney /etc/passwd
barney:Retired*:40000:15::/usr/users/barney:/bin/sh
Additionally I asked:
"What about vipw? Is that really unsafe? We are at C2 security."
I forgot to mention that we are running DU 4.0D. With 4.0B,
userdel deleted the account from /etc/passwd; now it just changes
it to have "Retired*" in the password field.
About a dozen people said to use removeuser. However, the man page
states:
The removeuser command invokes /usr/sbin/userdel to delete the user
account information from /etc/passwd and the hashed password database
(if present).
I tried it anyway with no luck.
Several said I could use "vipw", if I knew what I am doing. The manuals
say not to. Since we are live with 30,000 users, I'll pass on that.
So what are the implications of "Retired"? I looked through the
on-line manuals, especially the 4.0D System Administration, Security,
and Master Index, and Glossaries, but only found two mentions of
"Retired" in the Security manual:
9.1.2 Retiring Accounts
Use the Retire User Account dialog box to permanently lock a
user account.
18.5 Using the Protected Password Database
Retired status (u_retired)
Indicates whether the authentication profile is valid. If not valid,
login sessions are not allowed. Once retired, an account should never
again be reused.
So they can't log on. However, if I send mail to a retired account,
it is delivered, at least with Berkeley sendmail. We don't normally
run DEC sendmail, but I tried it and it too delivers mail to
retired accounts.
How about finger? DU finger shows the account as existing with
no indication it is retired.
What about useradd? The time for useradd is proportionate to the
number of users. For the first account I added on our Alpha 8200,
useradd took about 0.07 seconds. Now we are up to 29,000+ accounts and
useradd takes 1.05 cpu seconds. (Fortunately, the useradd bug is
fixed, so specifying "-o" is no longer necessary for fast execution).
Soif you cycle through a lot of logons, retiring rather than removing
them can cost you in useradd.
By the way, I do agree that reusing UIDs and logons is a bad idea.
A lot of people here are mad that we won't let them have a logon of
someone who left... But we enforce that other ways. Now with retired
accounts, we will need to check each application, ftp, pop, finger,
sendmail, etc, to see if it behaves as desired for retired accounts.
Clearly delivering mail to retired accounts and showing them in
finger are not appropriate.
Also, often userdel seems to lock an account, so we have to add
the u_lock_at_ back in after using userdel; beware...
- Jerry Berkman, UC Berkeley
Received on Fri Feb 20 1998 - 03:18:37 NZDT