LinuxQuestions.org - Why does www-data have /bin/sh as a shell?

- Debian (https://www.linuxquestions.org/questions/debian-26/)

- - Why does www-data have /bin/sh as a shell? (https://www.linuxquestions.org/questions/debian-26/why-does-www-data-have-bin-sh-as-a-shell-600327/)

Why does www-data have /bin/sh as a shell?

I'm looking at /etc/password and can't help but notice the following entries:

Code:

games:x:5:60:games:/usr/games:/bin/sh

man:x:6:12:man:/var/cache/man:/bin/sh

lp:x:7:7:lp:/var/spool/lpd:/bin/sh

mail:x:8:8:mail:/var/mail:/bin/sh

news:x:9:9:news:/var/spool/news:/bin/sh

uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh

proxy:x:13:13:proxy:/bin:/bin/sh

www-data:x:33:33:www-data:/var/www:/bin/sh

backup:x:34:34:backup:/var/backups:/bin/sh

list:x:38:38:Mailing List Manager:/var/list:/bin/sh

irc:x:39:39:ircd:/var/run/ircd:/bin/sh

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh

And I simply can not understand why the shells are not /bin/false or /usr/sbin/nologin.

Also, why is there a 'news' user on my system when I have no related software installed? (or do I? -- and how to detect said software) Same for lp, UUCP, proxy.. list.. gnats.

Quote:

Originally Posted by reverse (Post 2961812)

why is there a 'news' user on my system

There may be a service or application running under a specific UID. Some package managers are capable of listing that kind of specs, else try 'find ' with the "-user" arg.

Quote:

Originally Posted by reverse (Post 2961812)

I simply can not understand why the shells are not /bin/false or /usr/sbin/nologin.

That's part of hardening. Unfortunately users who don't know won't find out until they run auditing software like Tiger or Lsat. Changing shells to an inert one is something you have to do yourself or run SW like Bastille-Linux.

The problem is, most users most likely don't care about further securing their syststem (perhaps thinking updating is enough or "linux is secure by default" <- result of bad propaganda) , let alone run auditing software.

Debian Specific: Given that the Debian Security How-To, turned into a book, would be over 100 pages long, and given that's just basic/minimal security.. I don't know how many users are willing to go through *THAT*.