Many thanks for the speedy responses (included below).
Conclusion :
1. It is safe to remove the user account totally from
/etc/passwd (remove also from the group file). I had
actually worried about doing this lest the UID be
referenced somewhere else. (so George Gallen's
reply was interesting in this respect)
2. Check the cron jobs
3. Scan all executeables for plain text of their login
names.
I think I will simply restart again with a clean install
but this should cover me until then.
Thank you very much to the following :
----------------------------------
From: bbahnmil_at_redwood.dn.hac.com (Bryan Bahnmiller)
Also check for any cron jobs they may be running!
------------------------------------
From: Joanna Gaski <jgaski_at_WPI.EDU>
This may be naive, but I would check to see if cron uses anything from
one of their directories. You could also check the file access times
to see if any of their programs/files are being used (by cron or
called from another automated program).
----------------------------------
From: "De Bruler, Bonnie " <debruler_at_eglin.af.mil>
You can remove the accounts, but leave the directory structures. You've
already handled the ownership issues.
----------------------------------
From: Mike Iglesias <iglesias_at_draco.acs.uci.edu>
You can just remove the entries in /etc/passwd so email will fail and
no one can login to the accounts, but the files will still be there.
Mike
----------------------------------
From: George Gallen <ggallen_at_slackinc.com>
What about changing the name,password,shell associated with that
account name (UID) with your name, this way any program associated
with their old UID, will now be associated with you. The program only
has the UID stored, not the actual name, unless the programs actually
check for the login name. Have you scanned all your executeables for
plain text of their login names?
George Gallen
ggallen_at_slackinc.com
----------------------------------
Original Question :
At 01:49 AM 4/8/98 +0800, chas wrote:
>I fell into sysadmin for the Alpha boxes by default when
>the 2 former sysadmins left in quick procession. I've
>disabled their accounts in so much as set their shells to
>/nonexistant and changed their passwds. Email still arrives
>for them and I really would prefer to delete the accounts
>but they installed a great deal of software and scripts
>under their own accounts, so I am loathe to remove the
>accounts lest it breaks anything. Are these fears unnecessary ?
>If not, are there any checks that I should perform before
>removing the accounts ?
>(I've already located all the files they owned and changed
>their ownership with "find / -user predecessors-name -print | more")
>
>Thank you very much,
Received on Tue Apr 07 1998 - 22:26:50 NZST