default Fedora accounts

[agustina]

Hello

How are you?
I would like to know what are these users used for in Fedora, as I need to delete the ones that are not used:

uucp
games
gopher
ftp
nobody
rpc
Vcsa
polkituser
nscd
rpcuser
nfsnobody
postfix
mailnull
smmsp
sshd
haldaemon

THANKSSS

[DBelton]

Actually, you would need to uninstall the packages that created those users if you don't need them instead of just deleting the users. (Those users can't login anyway, but the applications use them)

[agustina]

But please can you tell me what they do?

[Gareth Jones]

Why do you need to delete them?

Users with UIDs < 1000 are system users – they are generally used by daemons (background programs which provide system services, such as printing) as a security mechanism. A daemon runs as its own user, with only the permissions necessary to do its specific job, so as to limit the danger of any security exploits.

Removing those users, unless you know that they are unused on your system, will break things. Since the only resource that they take is UIDs in a reserved range, and you cannot log in as one of them, there seems little point in removing them.

[agustina]

Thanks, I need it for very high security standards.

[jpollard]

uucp - unix to unix copy. Not needed if the packages are not installed
games - used to hold records of games not needed
gopher - original "web" interface. Not needed.
ftp - used for managing anonymous ftp. Not needed if ftp not installed
nobody - required. Too many packages (and NFS) use this to indicate an anonymous use. Don't delete.
rpc - only if you use remote procedure calls
Vcsa - virtual console memory. I believe this one is required.
polkituser - used for an authorization framework. (man polkit). I think this one is mandatory, but not sure.
nscd - name service cache daemon. This is only needed if running a local cache only name server (nscd).
rpcuser - the UID used with remote procedure calls. I believe this is to sandbox the service daemon.
nfsnobody - Newer version of nobody. This one is specific for NFS.
postfix - only needed if you use the postfix mail service.
mailnull - account for mail spool files
smmsp - same as mailnull (different UIDs for different use)
sshd - used to protect against ssh login hacking.
haldaemon - hardware device database support. I think this one is still mandatory.

Some of this may be a bit dated - I'm sure stevea will correct me.

Many of these are only present to give applications/utilities an owner other than root. If you are a DoD site, you should only need to document their usage, AND show that they cannot be logged in, either remotely or locally. One explanation for them is as "placeholder" UID assignments that prevent them from being accidentally used improperly.

Some of these (well, sshd at least) have specific mandatory SELinux labels associated with the accounts.

[marko]

Quote:

Originally Posted by agustina

Thanks, I need it for very high security standards.

If you want security that high, you probably should do a bare minimum install and manually install just the things you need. Of course, even better might be to use a security specific distribution like LPS

http://www.serverwatch.com/server-tr...now-about.html

Fedora as a plus has selinux but as it has more bugs and bleeding edge software which is a negative for security

[jpollard]

I would strongly urge using something other than Fedora.

High security requires high quality. Fedora is rife with beta (and even alpha) software, and those have a tendency to be buggy - and that includes security vulnerabilities.

CentOS or SL would be better.

Even better, the security specific distributions.

Don't use a system with systemd - it is not yet validated for any security.

[Gareth Jones]

I agree with marko and jpollard. It is better to start with a minimal secure base and build up, rather than to strip down a large bleeding-edge distro.