Hi again.
Thanx to all who responded...
Well it turns out that I did everything correctly. However a co-worker
smart-assedly remarked that bad things happen if you remove the
/etc/passwd entry before you remove the auth entry. ;-) At this point I
don't remember which I removed first.
I think Larry Clegg put it best:
------------------------------------------------------------------------------
C2 guidelines state that you "can't" remove a user - that would violate
the
standards - you can retire a user. If this doesn't work for you then you
can do the following:
"To meet C2-security requirements there is no official way to completely
remove a user's account information. The account can be retired only -
once
retired it can never be 'unretired' nor can the UID be reused. That's
according to the government's official Orange Book policy.
Unofficially this is how you would do it:
Step 1: # userdel -r <account-name-to-be-removed> (Caution: this also
removes the home directory and all files in it.)
Step 2: # vipw (This will edit the password file - NEVER use vi on the
password file - use vipw instead and simply delete the line containing the
target account)
Step 3: # convuser -d (This will compare the password file to the
enhanced
security database and remove anything in the enhanced db which is not in
the
password file)
Warning: if you're ever using ACL's to grant access to files, events,
etc.
and then you delete the user associated with those ACL's and reassign the
UID to a new user then that new user will have access to all the files
previously accessed by the former UID owner!"
----------------------------------------------------------------------------
========================
Mike Johnson
University of Denver
University Technology Services
(303)871-3722
---------- Forwarded message ----------
Date: Mon, 9 Jul 2001 13:41:32 -0600 (MDT)
From: Mike Johnson <mike_at_du.edu>
To: tru64-unix-managers_at_ornl.gov
Subject: Removing Users?
Hello all.
We just recently upgraded to 5.1 from 4.0f. We are running C2 security.
When I removed a user (from /etc/passwd and from the auth database), the
system stopped accepting logins. Is there some trick that I missed in 5.1
that you have to do to remove users and leave the system in good shape and
functioning properlY?
Thanx, will summarize...
========================
Mike Johnson
University of Denver
University Technology Services
(303)871-3722
Received on Wed Jul 11 2001 - 00:40:51 NZST