Removing unnecessary default user accounts
During installation of the operating system, a number of default user and group IDs are created. Depending on the applications you are running on your system and where your system is located in the network, some of these user and group IDs can become security weaknesses, vulnerable to exploitation.
The following table lists the most common default user IDs that you might be able to remove:
| User ID | Description |
|---|---|
| uucp, nuucp | Owner of hidden files used by uucp protocol. The uucp user account is used for the UNIX-to-UNIX Copy Program, which is a group of commands, programs, and files, present on most AIX® systems, that allows the user to communicate with another AIX system over a dedicated line or a telephone line. |
| lpd | Owner of files used by printing subsystem |
| guest | Allows access to users who do not have access to accounts |
The following table lists common group IDs that might not be needed:
| Group ID | Description |
|---|---|
| uucp | Group to which uucp and nuucp users belong |
| printq | Group to which lpd user belongs |
Analyze your system to determine which IDs are indeed not needed. There might also be additional user and group IDs that you might not need. Before your system goes into production, perform a thorough evaluation of available IDs.
Note: Instead of removing the
printq group because of the dependency on printer filesets,
disable the lp user ID, the piobe command, and the qdaemon program
in the /etc/inittab
entry to minimize the security risks. This prevents the user from running print commands.