UNIX for Advanced & Expert Users

Hi,

Can I just quick pick everyone brain here about the following:

There is a security audit going on at the company I work for and one of the things that needed to be resolved was that there were a lot of users who don't have a home directory.
As this is a fairly large environment of over 500 servers, there are a lot of users with this sort of problem (+300). Most of these are actual user accounts but some of them are application users.
I thought of solving the issue by writing a script that will resolve this by creating the users homedir if it doesn't exist and adjust the passwd file accordingly. But before I will start on this, I'd like to know if this action might have other woeful implications which I haven't thought about yet... So has anyone ever encountered a reason as why not to create or set a homedir?

From time to time, I have cause to create users with no homedirs, but in those cases, I set the homedir to /.

In your case it sounds like they do have a home dir set (like /export/home/username etc) but the directory is missing? If so, and if these home dirs are not some kind of broken attempt to create users with no home directory, then it should be fine to create them.

If you do though, I'd suggest skipping any users that have home dir paths on your root filesystem. This protects you from teh user creating a large file and interfering eith the system's functions by filling up / or some other important filesystem used by the OS.

You could assign /tmp as the home dir for these users. I always feel a little queasy about putting somebody in "/", lest they also have sudo permissions, and (even unknowingly) cause major trouble.

It does indeed seem that most of them are just errors made while creating the users.
I guess to be safe I'll do it in 3 parts, 1st is to create the directories that are defined in the passwd files and 2nd part will be to check the users with no homedir in the passwd and see whether the homedir actualy exists, if so then adjust the passwd file.
3rd part will be to manually go over the rest (those with no homedir defined in both conditions)... just to be on the safe side in case there is cause for such weird setup.

Cheers for your input!

I'm not such a fan of /tmp, it creates a fairly large security vulnerability; Imagine that you are a user on a solaris system where you know some users have homedirs set to /tmp. Now imagine that the server has been recently restarted and /tmp is pristine and empty and you are a somewhat mischevious sort.
Createing /tmp/.ssh won't get you very far as ssh perfoms a number of integrity checks to protect you from sneakyness here, but think about .Xauthority files for instance, I could create an xauth cookie that I know, then put an Xauthority file in /tmp and wait for a user to log in. They'd potentially 'reuse' our version of the cookie and allow us to gain control of their screen, keyboard and mouse. Alternativly, one could create a profile, .login, .cshrc, .bashrc or .kshrc that does a bunch of evil things as/to the user logging in.
Even worse/funnier they would be unable to remove or alter these files so they couldn't even fix it themselves if they noticed.

Why would sudo be affected by the homedir?

Thanks Smiling Dragon for that detail on home directories and /tmp, and a very good point.

Regarding sudo issues for /:
In any environment where multiple users have passwordless sudo access, wouldn't one fast finger/slow brain mistake lead to potentially irreparable damage to FSs?