| Title: | DIGITAL UNIX�(FORMERLY KNOWN AS DEC OSF/1) |
| Notice: | Welcome to the Digital UNIX Conference |
| Moderator: | SMURF::DENHAM |
| Created: | Thu Mar 16 1995 |
| Last Modified: | Fri Jun 06 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 10068 |
| Total number of notes: | 35879 |
Hi,
I've configured C2 on a Digital UNIX v4.0A system and now I can't delete
an account, I can only "retire" it. This retirement avoid the user login
but does not remove the user directory and the user still show up in the
dxaccounts screen. What are the steps to really DELETE an account in a C2
environment?
Thank's in advance,
Regards,
Miriam
| T.R | Title | User | Personal Name | Date | Lines |
|---|---|---|---|---|---|
| 9602.1 | GERUND::WOLFE | I'm going to huff, and puff, and blow your house down | Thu Apr 24 1997 14:14 | 9 | |
You need to edauth -r the user to get him out of the C2 protected password database, and then also delete the /etc/passwd entry (edauth -r might do this automatically - I'm not sure) and the /etc/group file. Then you'd delete his directory/files if appropriate We really need to add this an option to the gui and the cli for a future release. pete | |||||
| 9602.2 | The reason | NNTPD::"[email protected]" | Ann Majeske | Fri Apr 25 1997 13:07 | 23 |
There is a security related reason that Enhanced Security does not include "remove user" functionality (we didn't just forget it ;^). For C2 level of security (as defined in the Orange Book), you must be able to distinguish between individual users for purposes of auditing and access control. If you "remove" a user, there is no way for the system to know that that users UID and name was used previously and you could assign that users UID and/or name to a new user. Then, among other things, the second user could have access to files left on the system by the first user, files that the new user potentially should not have access to. Since many of our customers who use Enhanced Security aren't concerned with following the C2 level requirements to the letter, and some of them would like to have the capability to remove users, it makes sense for us to look into adding that functionality. But, we'll have to take care to not break our C2 level functionality, so, if we do this it will probably have to be configurable functionality with clear warnings that if it is used a C2 level of security is not being maintained. Can someone please enter a QAR requesting this functionality? [Posted by WWW Notes gateway] | |||||
| 9602.3 | One more question | VAXRIO::MIRIAM | Unix Group - CSC/Brazil | Tue Apr 29 1997 11:47 | 8 |
Thank you for your help. I got one more question. Has anyone been able
to delete a user's directory by selecting this option on the retire
window? I tried to do it but is didn't work for me. Is it a bug?
Regards,
Miriam
| |||||
| 9602.4 | GERUND::WOLFE | I'm going to huff, and puff, and blow your house down | Wed Apr 30 1997 00:15 | 5 | |
I believe this is a known bug that is fixed in the patch kit for V4.0. It only worked when multiple accounts were deleted simultaneously (i.e. had to select more than 1 account). pete | |||||