Allow login with password only
I am amazed to see that I can login using some default users like www-data, mysql etc with/out password in linux. How can I allow login with correct password only? and some default users should note to be able login.
My OS Linux friend 3.2.0-4-686-pae #1 SMP Debian 3.2.96-2 i686 GNU/Linux |
You can log in with user nobody also. If you set a password for mysql, that will stop, but so might mysql:(
A better way to go if you're excited about it is to limit what user mysql can do. The guy who did qmail set up users with a shell of '/bin/true' which isn't much use to a hacker |
By default system users like www-data and nobody are disabled and you should not be able to login. It is possible to use su or sudo to become a system user which is something different.
How are you logging in to www-data with/out password? |
Quote:
Also, when doing ssh, if I enter wrong password for root it enters which shouldn't. |
Can you post the lines /etc/passwd and /etc/shadow for www-data?
|
Quote:
passwd www-data:x:33:33:www-data:/var/www:/bin/sh shadow www-data:*:17108:0:99999:7::: |
Although you state the distribution is debian you have not fully described how it is configured nor how you are actually are logging in as www-data with or without a password.
Quote:
|
On my CentOS system, I've configured the system users (and mail-only users, for that matter) with /sbin/nologin as the login shell. Even root can't su to those:
Code:
# su someuser Which? |
All times are GMT -5. The time now is 03:05 AM. |