/etc/passwd does users 'man' and 'nobody' really need a login shell?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
/etc/passwd does users 'man' and 'nobody' really need a login shell?
Hi I'm trying to write up some basic guidlines for securing a linux server. The scenario is that I've been asked to administer(and secure) a linux server running mysql. No users except me will log in directly, only a webserver will access the database. Previous administrators went away mad and may be interested in compromising the system.
I'm farily new to linux system administration and I'm not entirely sure of my approach. My thought is to audit the /etc/passwd file and disallow login ability to EVERYONE except my user account. In the default installation of ubuntu server I'm practicing on I see several 'system' accounts that have login capability including 'man' 'games' 'nobody' and others. I'd like to remove that ability to ensure that if any of these accounts were compromised (possibly deliberately by the malicious previous admin), the system isn't compromised. Doing a little research on the web it appears that at least some system accounts need login, or shell access. Is this true? Is there any way to determine which accounts need shell access? Or am I on the wrong track entirely, trying to do something that is not useful?
There are two files related to user accounts: passwd and shadow.
The shadow file holds the password hashes. If you look at the accounts You're concerned about ,you'll see !! and/or * in the 2nd ':' delimited field.
The !! means that the account is locked out.
The * means that the account is disabled.
so why are the accounts there if they are disabled or locked? Because root can still 'su' to the accounts to do nifty things like process isolation (somebody correct me on this if I got it wrong)... when the OS is coming up, it can fork off daemons to run services as those users, but they are effectively disabled from non-root access.
Last edited by JulianTosh; 02-20-2009 at 10:36 PM.
Reason: typos
There are two files related to user accounts: passwd and shadow.
The shadow file holds the password hashes. If you look at the accounts You're concerned about ,you'll see !! and/or * in the 2nd ':' delimited field.
The !! means that the account is locked out.
The * means that the account is disabled.
so why are the accounts there if they are disabled or locked? Because root can still 'su' to the accounts to do nifty things like process isolation (somebody correct me on this if I got it wrong)... when the OS is coming up, it can fork off daemons to run services as those users, but they are effectively disabled from non-root access.
Thanks, thats helpful. I think I already knew most of that but you definitely helped me put the two files together in a more consistent way. I'm still a little curious about how these two impact security, especially in the event that a system user such as 'nobody' or worse, some less tested application, becomes compromised.
Is it possible that having a shell set in field 7 of /etc/passwd would be a security problem even if /etc/shadow has a * or ! in the password field? is it appropriate for security purposes to set this field to /bin/false or /bin/nologin or will that potentially break the application? Is setting a * or ! in the password field of /etc/shadow sufficient to keep an attacker from doing bad things if they manage to compromise an application?
The only way I can think of, off the top of my head, how those accounts can be compromised is through a vulnerability in the service that is running as them.
If that's the case, then the bad guys are already in the system but with non-root privileges.
You can't bruteforce your way into a shell with those accounts because they are locked or disabled and only accessible from the root account.
It seems to me that changing the shell to something other than a command interpreter would break whatever process that was using that account.
Bottom line is that I am pretty certain that these accounts are safe as is.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.