[
this is not a "quick turnaround" type of problem, but it's a problem I think
a lot of sites will face, so I'm raising it on the list anyway. My apologies
if anyone feels this is inappropriate, and you're welcome to let me know if
you do. ;-)
]
All-
We've run into a problem with a bug "fix" in patch set #7 for Digital Unix
4.0b, with respect to userdel. With patch set #6 and earlier, `userdel'
actually deleted a user, even under C2 security. With patch set #7, it now
retires them, and will not remove them even if the user is first converted
to base security using `convuser -b'.
I realize that this new behavior is documented in the patch description. I
also realize that I can uninstall this patch on 4.0b to get the old behavior.
I'm also pretty sure that this behavior is required by the C2 specification.
The problem is that this behavior has been rolled into 4.0d, so there's no
way to disable this behavior at 4.0d or later. If I disable the 4.0b + patch
set #7 behavior, I also lose other useful bug fixes in the remaining commands
that are part of that patch.
We use the C2 because in a university environment it's virtually a requirement
to have shadow passwords and some of the other nice features that are part of
C2 security. One feature we *must* have, though, is the ability to completely
remove users from our systems. With a large student population, we annually
add and remove thousands of users on our systems.
Under 3.2g and earlier, I had to use a "home brew" system to remove users
from /etc/passwd after using `convuser -b' to convert them to base security
(we had an unsupported copy of convuser from Digital as far back as 3.2c).
It appears that there's no way to configure how `userdel' acts under 4.0d and
later, so I may have to take a step backward and quit using `userdel'.
I personally feel retiring vs. deleting a user should be configurable behavior
for userdel. I actually feel that retiring should be done with `usermod' --
it seems obvious to me that if you're running a command named `userdel' you
really do want to delete the user, C2 or not.
In any case, I will be making an enhancement request, to try get the `userdel'
behavior configurable, or get the old behavior back and make `usermod' the
mechanism to retire a user. If there are other sites that are affected by
this change, and I'm betting there are, I encourage you to also submit an
enhancement request.
I will summarize any feedback, good or bad, that I get related to this issue.
Tim
--
Tim Mooney mooney_at_dogbert.cc.ndsu.NoDak.edu
Information Technology Services (701) 231-1076 (Voice)
Room 242-J1, IACC Building (701) 231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164
Received on Wed May 20 1998 - 20:31:34 NZST