These accounts are intended to run specific software. You can restrict these accounts in order to limit their access to the system. Also, these accounts can belong to unique groups in order to provide specific access to their files that normal users cannot access.
For example, the nobody account is used to perform the updatedb. The updatedb utility maintains the file database used by the locate command. The nobody account can only see into directories that have read access to "other". So if you were to set your /etc directory to root:users with drwxr-x--- permissions then the nobody account could not see into that directory. In that case you would break the ability of the nobody account to keep the file database up to date and your locate command would not be able to locate files in that directory.
The ftp account is intended to run ftp server software.
The www account is intended to run a web server. The files in the web server's directory can belong to this account. This could prevent normal users from altering these files directly. It also allows you to put the www files in a chroot jail. This prevents the www server from seeing the normal system files. So it works both ways for this account. You protect the normal system files from the www server and you protect the www files from normal users.
One security task is to delete those accounts that you don't need. That prevents a potential attacker from using these accounts, which may have no password or which may have been misconfigured to have a command shell. Normally these accounts do not have a normal shell. Their shell is either a binary to do a specific job such as ftpd or they have a binary that cannot be used to perform any work, such as /bin/false.
|