I received several replies to my message to the list regarding the changed
behavior of `userdel'. I wish to thank the following people for responding:
scott.b.skeate_at_lmco.com
"John P . Speno" <speno_at_isc.upenn.edu>
Jane Kramer <Jane.Kramer_at_oberlin.edu>
pgouffon_at_charme.if.usp.br
Phil Rand <prand_at_paul.spu.edu>
Andrew Leahy <alf_at_cit.nepean.uws.edu.au>
"Paul Yahnig" <Yahnig_at_GroupWise.Kean.Edu>
Larry Griffith <larry_at_garfield.wsc.mass.edu>
A number of the respondents pointed out that you can use `edauth -r <login>'
to completely remove any C2 database entry for a particular login. I wasn't
completely clear in my original message -- I was aware that this still works
(as does the `convuser -b' trick) but `userdel' still won't delete their
passwd file entry. This is what was frustrating to me. I really don't want
to have to go back to a home grown method to handle removing users from the
passwd file, but as it stands that's what's going to have to happen, I'm
afraid.
As I suspected and as Andrew Leahy pointed out, the C2 specification requires
that a C2 implementation must (as Andrew put it) "support [the following]
objective":
"No object reuse: numerical user IDs and groups IDs for deleted user
accounts and groups are never used again, and a new user or group with the
same name as a deleted account receives an unrelated ID and has no
relationship to the name's previous incarnation."
As Andrew and others pointed out, most university and business sites don't
want the full/rigid C2 implementation, they want parts of it like shadow
passwds, login controls, passwd controls, etc.
It's also worth noting that the man page for `userdel' wasn't updated as part
of the patch, nor has it been updated on 4.0d, so it is completely outdated
with regard to how `userdel' currently functions under C2 security.
Again, my thanks to all the people that responded to the original message.
A couple of people indicated that they would be opening (or had already opened)
enhancement requests, so hopefully enough people will jump on the bandwagon
so that the userdel behavior is modified so it's configurable.
Tim
--
Tim Mooney mooney_at_dogbert.cc.ndsu.NoDak.edu
Information Technology Services (701) 231-1076 (Voice)
Room 242-J1, IACC Building (701) 231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164
Received on Tue May 26 1998 - 23:25:57 NZST