kecoak
asked on
Disable user
1) What is the best way to disable a user in Solaris?
2) What would be the impact if I just commented a user in /etc/passwd? Do you think this is a good practice?
2) What would be the impact if I just commented a user in /etc/passwd? Do you think this is a good practice?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would disagree. Although files remain in the system, the user is, de facto, disabled.
You can also change the default user's shell to something like /bin/false or the likes, which will achieve similar effect (noe disabled, but cannot login).
You can also change the default user's shell to something like /bin/false or the likes, which will achieve similar effect (noe disabled, but cannot login).
My disagreement is with commenting out the user.
locking the account with the passwd command is the proper way to disable the user.
Changing the shell is not necessary if the user has been locked using the passwd command. It is a common practice when you want to allow a user ftp access while not allowing shell access.
Of course if this system is using nis, nis plus or ldap, then there are other considerations, since the intended user may not even be in the local passwd file...
I assume that the original questioner will tell us more.
locking the account with the passwd command is the proper way to disable the user.
Changing the shell is not necessary if the user has been locked using the passwd command. It is a common practice when you want to allow a user ftp access while not allowing shell access.
Of course if this system is using nis, nis plus or ldap, then there are other considerations, since the intended user may not even be in the local passwd file...
I assume that the original questioner will tell us more.
ASKER
No NIS or whatever ... just a local machine. What would happen to passwd and shadow file if you type passwd -l username? Will it get deleted? or has somekind of mark telling us that the account has been disabled?
It will put the string;
*LK*
in the shadow file.
Just as a further comment, unless absolutely necessary it is EXTREMELY bad form to manually edit /etc/passwd. You should go through the proper commands for any changes.
Too many ways to effectively lock yourself including root out of the system.
Too many ways to effectively lock yourself including root out of the system.
This will "disappear" the user. All his files will be owned by an unused UID, etc. But it works, and easily reversible.