19.9 Summary

Proper account administration is vital to keeping your computer secure. Be very careful about accounts without passwords: by definition, these accounts can be used by anyone who knows about them. Examine the default accounts that come with your computer: make sure that they cannot be used or, if they can be used, make sure that their passwords have been changed.

Do not set up group accounts—that is, a single account that is used by more than one person. Group accounts diffuse accountability, which invariably makes some people act with less responsibility. (Plato observed this correlation more than 2,000 years ago when he wrote The Republic.)

You can place restrictions on accounts using either the chroot( ) or jail( ) system calls. You can also protect the superuser account by using SUID programs and other tools so that people do not need to be told the superuser password to get their work done.

Even in this day of biometrics and sophisticated security tokens, passwords remain the primary defense for many Unix installations. Make sure that your users do not employ passwords that are easily guessed. Use tools to detect account misuse or password abuse; if you lack these tools, then use password aging to assure that passwords will change over time. Finally, crack your own passwords—your enemies are certainly doing so.