LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-24-2013, 08:58 PM   #1
gacanepa
Member
 
Registered: May 2012
Location: San Luis, Argentina
Distribution: Debian
Posts: 203

Rep: Reputation: 26
Question Which system users (UID < 1000) should have access to a shell and why?


Hi everyone,
As stated in the subject of this thread, I would like to know which system users (meaning users with UID < 1000, except for root) should, under normal circumstances, have access to a shell.
I thought about this after seeing the following line pertaining the www-data user in my system:
Code:
me@linuxbox:~$ cat /etc/passwd | grep www
www-data:x:33:33:www-data:/var/www:/bin/sh
According to that, the www-data user has access to the bourne shell and has a password. So, technically speaking, an external attacker could gain access to my system by trying to login as www-data and guessing a password. Am I correct?
Any hints, suggestions, and comments, will be more than welcome.
Thanks in advance.

Last edited by gacanepa; 08-24-2013 at 08:59 PM.
 
Old 08-24-2013, 09:05 PM   #2
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=14, FreeBSD_10{.0|.1|.2}
Posts: 3,886
Blog Entries: 1

Rep: Reputation: 2005Reputation: 2005Reputation: 2005Reputation: 2005Reputation: 2005Reputation: 2005Reputation: 2005Reputation: 2005Reputation: 2005Reputation: 2005Reputation: 2005
Quote:
Originally Posted by gacanepa View Post
Hi everyone,
As stated in the subject of this thread, I would like to know which system users (meaning users with UID < 1000, except for root) should, under normal circumstances, have access to a shell.
I thought about this after seeing the following line pertaining the www-data user in my system:
Code:
me@linuxbox:~$ cat /etc/passwd | grep www
www-data:x:33:33:www-data:/var/www:/bin/sh
According to that, the www-data user has access to the bourne shell and has a password. So, technically speaking, an external attacker could gain access to my system by trying to login as www-data and guessing a password. Am I correct?
Any hints, suggestions, and comments, will be more than welcome.
Thanks in advance.
"Which" users have a shell login is too broad a question I think - different on different systems.

In the case of your www-data user, it has a home directory, shell and password, so it can login, therefore anyone claiming to be it can also try.
 
1 members found this post helpful.
Old 08-24-2013, 10:20 PM   #3
gacanepa
Member
 
Registered: May 2012
Location: San Luis, Argentina
Distribution: Debian
Posts: 203

Original Poster
Rep: Reputation: 26
Quote:
Originally Posted by astrogeek View Post
"Which" users have a shell login is too broad a question I think - different on different systems.
You are absolutely right.
This is my /etc/passwd file:
Code:
gacanepa@debian:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:103::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
messagebus:x:103:106::/var/run/dbus:/bin/false
avahi:x:104:107:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
hplip:x:106:7:HPLIP system user,,,:/var/run/hplip:/bin/false
saned:x:107:114::/home/saned:/bin/false
gacanepa:x:1000:1000:Gabriel A. Cánepa,,,:/home/gacanepa:/bin/bash
mysql:x:108:115:MySQL Server,,,:/var/lib/mysql:/bin/false
postfix:x:109:116::/var/spool/postfix:/bin/false
colord:x:110:118:colord colour management daemon,,,:/var/lib/colord:/bin/false
ftp:x:111:119:ftp daemon,,,:/srv/ftp:/bin/false
In bold red are the only "real" users (root and gacanepa). So would it be correct to assume that a good security policy would be to prevent all other system users to have access to a shell?
Thanks again.
 
Old 08-25-2013, 07:09 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531
The majority of the users listed are only there to support subsystems: they are not used by human users. See http://www.debian.org/doc/manuals/se...s-faq-os-users for an overview of what they're for. Apart from users that run specific binaries like sync (or halt or shutdown on other Linux distributions) or users meant to have lesser privileges (backup) these users may not need a shell. You can either use your distributions tools (like 'chsh' or 'vipw') or a 3rd party hardening application like Bastille Linux to suggest changes for you. As always ensure you have backups before you make changes to the system.
 
1 members found this post helpful.
Old 08-25-2013, 08:11 AM   #5
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Germany
Distribution: Whatever fits the task best
Posts: 17,130
Blog Entries: 2

Rep: Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825
Quote:
Originally Posted by gacanepa View Post
So, technically speaking, an external attacker could gain access to my system by trying to login as www-data and guessing a password. Am I correct?
Only if you allow password based authentication for external attackers, which usually is recommended to be disabled and use key based authentication.
 
1 members found this post helpful.
Old 08-26-2013, 07:45 AM   #6
fpmurphy
Member
 
Registered: Jan 2009
Location: /dev/ph
Distribution: Fedora, Ubuntu, Redhat, Centos
Posts: 297

Rep: Reputation: 62
The majority of those privileged users should NOT have login shells.
 
1 members found this post helpful.
Old 08-26-2013, 07:50 AM   #7
gacanepa
Member
 
Registered: May 2012
Location: San Luis, Argentina
Distribution: Debian
Posts: 203

Original Poster
Rep: Reputation: 26
So, considering I have disabled password-based authentication and enabled key-based authentication for only a few "real" users, having all those users with login shells is not likely to do any damage, I believe.
Anyway, for hardening purposes I'll stick with key-based authentication and configure the majority of those system users to not have login shells.
Thanks everyone for your contributions. I'll mark each of your posts as helpful and this thread as solved.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
i received the message: adding read ACL for uid 1000 to '/media/david' failed xtrick Linux - Newbie 8 03-07-2013 01:07 AM
[SOLVED] whoami: unknown uid 1000 Lobinho Linux - Embedded & Single-board computer 2 01-31-2013 05:25 AM
Slackware 14: "Adding read ACL for uid 1000, operation not permitted." (CONFIG_TMPFS_POSIX_ACL) urza Slackware 3 10-01-2012 09:49 AM
[SOLVED] Perl: Find highest UID between 1000 and 2000 Angel2953 Programming 8 03-04-2012 10:00 AM
software to access file system.. how to allow access for non root users? stdcinout Linux - Newbie 8 03-09-2010 01:55 PM


All times are GMT -5. The time now is 02:16 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration