Default Disable

[Michael C.]

I am new to FreeNAS, and had a question about the default users. I looked over the manuals, and some forum searches. Maybe some of the regulars, more experienced FreeNAS can point me to some discussions/guidelines. I looked over the default install, and I understand everyone has different uses, so this is not a criticism. I noticed users like ftp, bind, proxy, etc. With the understanding someone using those services could need them, I am looking at what are the issues with disabling/deleting the users, to limit only the services/access I desire. Any information on hardening FreeNAS would be appreciated.

Thanks.

 

[cyberjock]

As long as you know exactly what the users are for, you are welcome to delete whatever you want. But to be honest, can you be 100% sure that something else doesn't depend on a user that you want to delete? For example, are you sure that the 'ftp' user isn't used for *anything* else in FreeNAS?

To me this sounds like "serious risk of losing something that will gain you almost nothing". The "unused" users aren't exactly a drag on the system, so why you're concerned about them is a bit beyond my understanding. ;)

 

[Michael C.]

Thanks for the input, I do understand that having the users does nothing to the system. However, some of the greatest hacks in times past was using a user that was disabled ;) to gain access. Yes all my gear is behind firewalls, but as Unix security person, my first instinct is to remove anything I don't use or need. I did the same thing with my EMC and NetApp products when I supported them. Was not sure if anyone had a security hardening guide.

May ask this again, but noticed that I have 5x3TB drives and I only get 10TB usable, under default RaidZ. What is the typical overhead?

 

[cyberjock]

Disabled is totally different from simply not using them. I've yet to ever see a hack that involves a disabled account. In fact, you'd have major problems with every OS in existence if disabled accounts were functional even when disabled. After all, disabling an account is the main security layer for passwords being retried too many times before you get a valid authentication.

As for your comment about removing things you don't use or need, totally sound in practice. If you *know* you don't use or need them, feel free to delete them. But like I said, if you aren't reading the source code you might be in for a surprise on which accounts are used for what internally and what things you are going to break by removing said accounts. I definitely wouldn't recommend you go deleting accounts and it's definitely never been recommended for FreeNAS.

Overhead for ZFS depends on many factors. 10TB usable seems fairly standard. RAIDZ1 takes one disk for redundancy and the remaining 3TB drives are actually like 2.72TB or something because of base-10 to base-2 conversion. Block size, number of blocks of various size, etc play a role too.

 

[dlavigne]

Note that the GUI will not let you delete the built-in users/groups and if you do so through the CLI, they will be re-created when the system reboots or is upgraded.