Hi,
I was just looking at my /etc/passwd file and noticed that many of the "non-user" accounts have been assigned login shells e.g.

Would it be wise to change "/bin/sh" to "/bin/false" ? Could someone kindly explain why these accounts have been allocated login shells ?

Thanks
C

Quite simply, accounts that you want to have interactive shell access (probably root and unprivileged shell users) should have a shell assigned in /etc/passwd. Most service accounts should not have one (there are exceptions, like Tomcat).

What is the system you're looking at, and who maintains it?

This doesn't look right to me. If it were my system, I'd run chkrootkit to check for rootkits (http://www.chkrootkit.org/), and if that passed look at the distribution's bugs list or online support for any known issues.

The easiest way to tell exactly which version and OS you're using is usually to run the following in a terminal:

Thanks gents. The machine is a Ubuntu 8.10 box that is part of a small home network. I only have 5 ports open : 22, 5900, 613, privoxy + tor. The firewall is set to drop everything except access to port 22, 5900 from an IP on my internal LAN.
My hosts.deny file contains the line sshd :ALL and hosts.allow has the lines:
sshd : ***.***.***.*** (a)
sshd : xxx.xxx.xxx.xxx (b)

where (a) and (b) are the only two IPs that are allowed to access the ssh server.



C

*** Update ****

chkrootkit showed no infections
rkhunter showed nothing suspicious

This is normal for an ubuntu system. It installs lots of things by default into /etc/passwd that you might not even need, like the games user on the server edition...

After breaking some things once by substituting /bin/false for some accounts, I decided to just let it be. I'm sure some of them can be turned into /bin/false, though. Here's what I've got on an ubuntu 9.04 server install with no gui (minus my user login):

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13roxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
mysql:x:103:105:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
messagebus:x:106:111::/var/run/dbus:/bin/false
postfix:x:104:115::/var/spool/postfix:/bin/false
logcheck:x:108:118:logcheck system account,,,:/var/lib/logcheck:/bin/false
ntp:x:109:119::/home/ntp:/bin/false