On Sat, 23 Sep 2006, Daniel Shaw wrote:
> Exactly. Read what I wrote. I agree. The point is that you can
> configure the OS to use a minimum UID, so you can force it to NOT
> reuse and ID without having to keep the old users.
Maybe. That's in the realm of distribution/OS specific tools, of
which there are many, rather than general Unix best practice.
> Or do you mean usernames, not UIDs? In that case, I agree that the
> best way is to keep the username in the password file (or
> NIS/whatever).
You probably shouldn't re-use those either, but that's slightly less
critical (wrt Unix permissions anyway). It might be important if you
use NFSv4.
[snip advice referencing very specific files/mechanisms]
> So therefore, even if you keep the identities, it's important to zero all
> passwords.
You need to disable the account, obviously, yes. And you need to do
that properly, yes, obviously. That has nothing to do with re-using
IDs.
You should probably wipe most personal info, except perhaps the full
name, if you wish or not. It can be most annoying to existing users
if full name information is scrubbed from disabled accounts.
Exactly how to disable the account is system dependet, but "zero out
the passwords" seems very specific, and might not be good advice
generally. Check your OS documentation. The right way is to probably
remove the password altogether, but requires trust that end-systems
are all configured to disallow passwordless authentication, for all
relevant services. Slightly better is to use some mechanism specific
to the algorithm concerned to indicate "invalid password", e.g. an
invalid password hash value.
It's not clear to me where you're disagreeing with me, if at all,
other than about disk space. Which I hadn't mentioned at all.
(But note, the reason to /not/ re-use IDs in a network with
distributed user information is precisely because it can be a /huge/
job to "reclaim" all files the user ever created, for the ID about to
be deleted..).
Anyway, this is /not/ my opinion by the way, this is from my
observation of large Unix networks and how they are administered (one
largeish campus network a long time ago, and undoubtedly one of the
biggest cohesive Unix network on the planet today, if not the
biggest[1]).
1. It all depends on whether Google have a cohesive unix user
environment across their google cluster machines, if so GOOG would
be. But I suspect not, in which case the network I'm thinking of
likely is way bigger.
regards,
--
Paul Jakma paul at clubi.iepaul at jakma.org Key ID: 64A2FF6A
Fortune:
Pauca sed matura.
[Few but excellent.]
-- Gauss
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
