[17058] in bugtraq
Re: User operator under Red Hat 6.2
daemon@ATHENA.MIT.EDU (Kurt Seifried)
Thu Oct 5 01:56:01 2000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-ID: <000f01c02e57$35789020$cc00030a@seifried.org>
Date: Wed, 4 Oct 2000 17:02:43 -0600
Reply-To: Kurt Seifried <listuser@seifried.org>
From: Kurt Seifried <listuser@seifried.org>
X-To: "DIEGO GARCIA _ DIRECCION DE SISTEMAS-."
<drgarcia@JAVERIANA.EDU.CO>
To: BUGTRAQ@SECURITYFOCUS.COM
> It's not necessesary a bug but is abig problem when you install Red Hat
6.2 and one
> user different to root has guid root, even worse if you don't know it.
>
> User: operator
> Home : /root (oops! same home than root, same bash history!)
> Main group: root
>
> (May be you find usefully operator user but may be you must change its
home,
> also you must think about that in a dictionary attack there are two roots
to find)
>
> If you find some PAM message with a remote change password to operator
> becarefull, may you must look for in root history not-normal activity
>
> Have a nice IT day
>
> Diego García
Argh. Also in Red Hat 7.0:
uid=11(operator) gid=0(root) groups=0(root)
Using find, I couldn't find any files owned by operator, using grep I
couldn't find anything in etc that mentioned the operator user (beyond the
password files). It appears safe to remove the user:
userdel operator
At least nothing has broken so far =). Gratuitous root acounts are rather
annoying. Red Hat 7.0 also ships sudo, so there's a better solution
available.
Kurt Seifried - seifried@securityportal.com
SecurityPortal, your focal point for security on the net.
http://www.securityportal.com/
