Proper account administration is vital to keeping your computer
secure. Be very careful about accounts without passwords: by
definition, these accounts can be used by anyone who knows about
them. Examine the default accounts that come with your computer: make
sure that they cannot be used or, if they can be used, make sure that
their passwords have been changed.
Do not set up group accounts—that is, a single account that is
used by more than one person. Group accounts diffuse accountability,
which invariably makes some people act with less responsibility.
(Plato observed this correlation more than 2,000 years ago when he
wrote The Republic.)
You can place restrictions on accounts using either the
chroot( ) or jail( ) system
calls. You can also protect the superuser account by using SUID
programs and other tools so that people do not need to be told the
superuser password to get their work done.
Even in this day of biometrics and sophisticated security tokens,
passwords remain the primary defense for many Unix installations.
Make sure that your users do not employ passwords that are easily
guessed. Use tools to detect account misuse or password abuse; if you
lack these tools, then use password aging to assure that passwords
will change over time. Finally, crack your own passwords—your
enemies are certainly doing so.