LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Closed Thread
  Search this Thread
Old 12-20-2006, 11:31 AM   #1
kav
Member
 
Registered: May 2006
Location: USA
Distribution: FreeBSD Ubuntu Debian
Posts: 137

Rep: Reputation: 15
Successful su for nobody by root?


I found a lot of these in my /var/log/auth.log

Dec 18 06:25:03 localhost su[3224]: Successful su for nobody by root
Dec 18 06:25:03 localhost su[3224]: + ??? root:nobody
Dec 18 06:25:03 localhost su[3224]: (pam_unix) session opened for user nobody by (uid=0)
Dec 18 06:25:03 localhost su[3224]: (pam_unix) session closed for user nobody

What does a su for nobody by root mean?
I mean I have plenty of succesfull su for root by (user), but what on earth is so for nobody by root?

I found this 'nobody' in my /etc/passwd file too. Is it used by a program or has my box been compromised like a chump?
 
Old 12-20-2006, 11:41 AM   #2
reddazz
LQ Guru
 
Registered: Nov 2003
Location: N. E. England
Distribution: Fedora, CentOS, Debian
Posts: 16,298

Rep: Reputation: 75
nobody is a system user that is used to run services e.g. apache and samba on Linux distros. Root has to start the service and then pass on control to the user "nobody".

Last edited by reddazz; 12-20-2006 at 11:44 AM.
 
Old 12-20-2006, 12:24 PM   #3
int0x80
Member
 
Registered: Sep 2002
Location: Cincinnati
Distribution: Debian GNU/Linux
Posts: 310

Rep: Reputation: 31
Do you have amavis or clam installed?
 
Old 12-20-2006, 12:27 PM   #4
kav
Member
 
Registered: May 2006
Location: USA
Distribution: FreeBSD Ubuntu Debian
Posts: 137

Original Poster
Rep: Reputation: 15
That was fast, you are awsome. Thanks
 
Old 12-20-2006, 12:32 PM   #5
int0x80
Member
 
Registered: Sep 2002
Location: Cincinnati
Distribution: Debian GNU/Linux
Posts: 310

Rep: Reputation: 31
As a precautionary measure, I set the shell to /dev/null

Code:
int0x80:~$ grep nobody /etc/passwd
nobody:x:65534:65534:nobody:/nonexistent:/dev/null
Don't forget to add /dev/null as a shell
Code:
echo "/dev/null" >> /etc/shells
 
Old 12-21-2006, 07:47 AM   #6
kav
Member
 
Registered: May 2006
Location: USA
Distribution: FreeBSD Ubuntu Debian
Posts: 137

Original Poster
Rep: Reputation: 15
Excellent advice, I'll do that immediatly. Thanks

Are there any other users you would recommend doing that to?

Last edited by kav; 12-21-2006 at 07:50 AM.
 
Old 12-21-2006, 02:03 PM   #7
reddazz
LQ Guru
 
Registered: Nov 2003
Location: N. E. England
Distribution: Fedora, CentOS, Debian
Posts: 16,298

Rep: Reputation: 75
Quote:
Originally Posted by int0x80
As a precautionary measure, I set the shell to /dev/null

Code:
int0x80:~$ grep nobody /etc/passwd
nobody:x:65534:65534:nobody:/nonexistent:/dev/null
Don't forget to add /dev/null as a shell
Code:
echo "/dev/null" >> /etc/shells
Most distros set the shell for nobody to /bin/false which is similar to your suggestion.
 
Old 12-22-2006, 07:13 PM   #8
int0x80
Member
 
Registered: Sep 2002
Location: Cincinnati
Distribution: Debian GNU/Linux
Posts: 310

Rep: Reputation: 31
Quote:
Originally Posted by kav
Excellent advice, I'll do that immediatly. Thanks

Are there any other users you would recommend doing that to?
Any account that does not require interactive shell access.
Code:
int0x80:~$ grep /dev/null /etc/passwd | wc -l
29
It should also be noted that there is a difference between having the shell as /bin/false or /bin/nologin and having the shell as /dev/null. For example, set each of those as the shell for a test user, then attempt to login through SSH on each one. With a shell of /dev/null, an attacker could not be certain whether the attempted user exists on the system -- not the case where /bin/false or /bin/nologin is the shell.
 
Old 12-23-2006, 01:31 AM   #9
kav
Member
 
Registered: May 2006
Location: USA
Distribution: FreeBSD Ubuntu Debian
Posts: 137

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by int0x80
With a shell of /dev/null, an attacker could not be certain whether the attempted user exists on the system -- not the case where /bin/false or /bin/nologin is the shell.
Yes, /dev/null seems to be just a little bit better just for that reason.
 
Old 07-18-2008, 10:08 AM   #10
techemically
Member
 
Registered: Jul 2008
Posts: 35

Rep: Reputation: 15
Newbie here tried a bunch w/o success

typed: echo "/dev/null" >> /etc/shells

typed: grep nobody /etc/passwd
returned: nobody:x:65534:65534:nobody:/nonexistent:/bin/sh

typed: grep nobody /etc/passwd nobody:x:65534:65534:nobody:/nonexistent:/dev/null
returned: /etc/passwd:nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
grep: nobody:x:65534:65534:nobody:/nonexistent:/dev/null: No such file or directory

i am very new here and am not sure exactly what all this means. I am conerned that i cannot get "nobody" set to /dev/null and it is persistently /bin/sh
 
Old 07-18-2008, 01:13 PM   #11
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally Posted by techemically View Post
typed: echo "/dev/null" >> /etc/shells

typed: grep nobody /etc/passwd
returned: nobody:x:65534:65534:nobody:/nonexistent:/bin/sh

typed: grep nobody /etc/passwd nobody:x:65534:65534:nobody:/nonexistent:/dev/null
returned: /etc/passwd:nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
grep: nobody:x:65534:65534:nobody:/nonexistent:/dev/null: No such file or directory

i am very new here and am not sure exactly what all this means. I am conerned that i cannot get "nobody" set to /dev/null and it is persistently /bin/sh
You have already started a thread for your question, so please stick to that thread instead of going around resurrecting dead ones.

This thread is now closed.
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Any successful installs with 10.2 GM ? cueman SUSE / openSUSE 33 12-17-2006 09:05 PM
Successful R 2.4 Build trashbird1240 Linux - Software 2 10-06-2006 09:09 AM
kinit not mounting root but claiming it's successful cs-cam Linux - Kernel 0 09-23-2006 08:52 PM
Why iPod is so successful? TigerLinux General 8 10-15-2005 03:00 AM
Has anyone been successful ? starjones Linux - Wireless Networking 3 02-10-2004 01:49 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration