Fedora 15, new and exciting plans

Richard W.M. Jones rjones at redhat.com
Sat Nov 20 17:50:43 UTC 2010 

On Sat, Nov 20, 2010 at 06:32:26PM +0100, Michał Piotrowski wrote:
> How about removing some old unix crud? (he said this and he saw that
> some people starts to gather firewood in the stack :))
> 
> Anyone uses gopher, uucp?
> 
> sync:x:5:0:sync:/sbin:/bin/sync

Someone at Red Hat asked me once what the purpose of the sync user
was, and I did some research and wrote the reply below.  It may be
interesting.

Rich.

<quote>
If you read this old (1988) advisory:

http://www.cert.org/advisories/CA-1988-01.html

it seems clear the original intent of the 'sync' user was to allow an
administrator to log in as 'sync' and have that synchronize the disks,
without needing a password.  There were apparently other user accounts
like 'who' with a similar purpose, and in the current passwd file we
can find similar accounts like 'halt' and 'shutdown'.

However having a passwordless guest account, even without a shell, is
a security hole (because some misconfigured or poorly written services
could allow access from one of these "users"):

http://www.cert.org/tech_tips/unix_configuration_guidelines.html#A.1.ii

I tried to find out for you when the 'sync' user was added to Unix.
It's *not* in Unix v7 (1979):

http://unix-tree.huihoo.org/V7/etc/passwd.html

It *is* in Fedora Core 1 (2003) and RHL 5.0 (1996?) and Debian 0.9 (1995).
All of these have the password field set to '*' to prevent the
security problem.

After a lot of internet spelunking, I found that MCC Interim Linux
(1992?) contained a 'sync' user with no password!  So you could have
walked up to an MCC Interim Linux box c1992, and logged in as 'sync' /
no password, and it would have synchronized the disks.

It seems we inherited this tradition from Unix systems dating back to
some time in the 1980s.  It was carried over to Linux in 1991/1992,
but soon afterwards the empty password field was replaced with a '*'
because of security concerns, and it's been like that to this day.
</quote>

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into Xen guests.
http://et.redhat.com/~rjones/virt-p2v

More information about the devel mailing list