[Systems] Fixed: The user has not setup an home page

Bernie Innocenti bernie at codewiz.org
Thu Nov 8 01:54:51 EST 2018

On 11/7/18 4:54 PM, James Cameron wrote:
> I agree with Bernie that it is unusual these days to need shell
> accounts, with the plethora of services available from other
> organisations.  For instance, why can't Peace Ojemeh use GitHub for
> files?  Then we could delete the shell account and keep the mail
> alias.

Yeah, email aliases are easy to setup and low risk (although I recently 
had to kick my father from codewiz.org because his Mac was sending spam 
and hurting the reputation of my domain to the point I could no longer 
deliver to Gmail users :-)

> I don't feel there is consensus yet on what to do with the risk of
> inactive or unnecessary accounts.

The system-userdel script keeps around the home, so it's easy to 
re-instate them if they come back.

When the ldap password expires, they also cannot login via ssh with a 
key, because pam denies users with expired passwords.

> For account tgillard, it kept copies of virtual machines and operating
> system installers that were available from somewhere else, about 38
> GB.  No login since February 2016, no new files since 2015, and none
> of the files are recent; security risk of zero day vulnerabilities if
> installed.  Mail alias tgillard at sugarlabs.org was never used.

Thomas has an interest in building and distributing system images for 
Sugar in various formats.

Probably, he can't easily another place to distribute such huge files, 
so I granted him extra filesystem quota when needed and asked him to 
delete old images that are no longer required.

I don't remember if we excluded his public_html/ from backups... maybe?

 > +CC Thomas, can we delete the account now?  Or can you clean it up and
 > delete the out of date files with security vulnerabilities?

Thomas, your work is appreciated, but (as James also said) old OS images 
may may put users at risk. If we want to continue distributing them, we 
should also deliver security updates.

We don't want Sugar users to become spambots like my father's Mac :-)

> On Wed, Nov 07, 2018 at 04:31:07AM +0100, Samson Goddy wrote:
>> Peace Ojemeh just created an account yesterday.
>> On Wed, Nov 7, 2018, 4:29 AM Walter Bender <[1]walter.bender at gmail.com wrote:
>>      A few people on the list are still active: tgilliard for example. And
>>      please keep cjl's account around.
>>      On Tue, Nov 6, 2018 at 10:21 PM Bernie Innocenti <[2]bernie at codewiz.org>
>>      wrote:
>>          On 11/7/18 10:20 AM, James Cameron wrote:
>>          > Small typo in sunjammer:/etc/skel/public_html has been fixed, and
>>          > copied to affected users public_html/
>>          >
>>          > ajay aleph anurag aperez arun aurora ayush bashintosh benzea caroline
>>          > christophd cjb cjl crodas dcastelo dcrossland dsd dvd earias erikg
>>          > fran godiard ishan jminor kaametza kandarpk leio mako manusheel marco
>>          > martasd martin mokurai mostro mstone mtd mukul mvn naufraghi neeraj
>>          > nubae peaceojemeh pflores piro rasky rralcala rsl sergiodj shanjit sj
>>          > socialhelp tal tuukka werner woody wwdillingham
>>          >
>>          > Know any of these users are inactive?  Perhaps we should remove them.
>>          >
>>          > There are 119 user home directories on sunjammer.
>>          There's an old cronjob to find users with expired ldap passwords and
>>          notify them by email: /etc/cron.weekly/check_pwd_expire
>>          I ran a modified version that doesn't send email to generate this list:
>>          Note: user alsroot password has expired since 668 days
>>          Warning: user asharma has no LDAP entry
>>          Note: user bashintosh password has expired since 1197 days
>>          Warning: user dcrossland has no LDAP entry
>>          Note: user francis password has expired since 821 days
>>          Note: user francocorrea password has expired since 912 days
>>          Note: user mako password has expired since 898 days
>>          Note: user martasd password has expired since 954 days
>>          Note: user mstone password has expired since 1107 days
>>          Note: user quidam password has expired since 1068 days
>>          Note: user rolf password has expired since 991 days
>>          Note: user rralcala password has expired since 820 days
>>          Note: user sam password has expired since 429 days
>>          Warning: user tgilliard has no LDAP entry
>>          There's also system-userdel, a convenient script which removes users
>>          from ldap and other places and moves their home to /home/_disabled
>>          Feel free to to do delete all these users, except sam and rralcala who
>>          are still active. User tgilliard is actually Tgilliard in ldap... weird
>>          :-)
>>          Providing shell accounts to developers was still fashionable 10 years
>>          ago, but with things like GitLab which support the entire development
>>          ->
>>          release -> web deployment cycle, I no longer see the reason in most
>>          cases. Developer accounts have become a huge security concern due to
>>          the
>>          various CPU exploits, so I would avoid giving out more shell accounts
>>          to
>>          people who are not supposed to be root anyway.
>>          --
>>           _ // Bernie Innocenti
>>           \X/  [3]https://codewiz.org/
>>          _______________________________________________
>>          Systems mailing list
>>          [4]Systems at lists.sugarlabs.org
>>          [5]http://lists.sugarlabs.org/listinfo/systems
>>      --
>>      Walter Bender
>>      Sugar Labs
>>      [6]http://www.sugarlabs.org
>>      [7]
>>      _______________________________________________
>>      Systems mailing list
>>      [8]Systems at lists.sugarlabs.org
>>      [9]http://lists.sugarlabs.org/listinfo/systems
>> References:
>> [1] mailto:walter.bender at gmail.com
>> [2] mailto:bernie at codewiz.org
>> [3] https://codewiz.org/
>> [4] mailto:Systems at lists.sugarlabs.org
>> [5] http://lists.sugarlabs.org/listinfo/systems
>> [6] http://www.sugarlabs.org/
>> [7] http://www.sugarlabs.org/
>> [8] mailto:Systems at lists.sugarlabs.org
>> [9] http://lists.sugarlabs.org/listinfo/systems

  _ // Bernie Innocenti
  \X/  https://codewiz.org/

More information about the Systems mailing list