Re: shell of place-holder accounts (shouldn't be a valid shell)
Chris Ulrich <firstname.lastname@example.org> wrote:
> On most unix systems, there are accounts that exist not for users
> but to make the filesystem look nice (uids get names instead of
> numbers with ls) or for security isolate special purpose processes
> from the rest of the system. Examples of this are the nobody user, for
> root squashed NFS, the qmail user for the different qmail daemons, the
> http user for the web server, and so on. Debian has quite a few of
> these users in the default /etc/passwd.
These are not there only to make sure that ls looks nice. These
entries also are there to ensure that these ids are not inadvertently
> Given that these accounts *never* need to have someone use them, it
> seems like a needless security flaw to give them a shell in /etc/passwd.
Note that some of the uids you gave as examples have soemthing
appropriate (/bin/false) for their shell.
However, overall I agree that passwordless system ids should all have
/bin/false. (And there should be some well advertised debian mechanism
besides su for root to adopt these identities -- one that always uses
$SHELL or /bin/sh.)
To UNSUBSCRIBE, email to email@example.com
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org