Hi,I look at in the file /etc/passwd on my server today, and I saw the user nobody has a shell !!. When I installed my debian (sarge, I know it's bad, but it's just a server for me...) I put /bin/false. A few days ago, while an upgrade, apt asked to me to upgrade that file to the new version and answer yes, so I think it come from that action, but it could be unsecure to put /bin/sh for nobody ?Well yes it could :) As long as the user has no valid password it's not very usefull. Take a look into the /etc/shadow and in the second field you'll find! or * indicating that this user has a invalid password. See man 5 shadow.
there is an * in /etc/shadow for nobody, but all services (ftp, web...) are running with the uid nobody so if there is an attack on an unknow bug (I keep up to date all services) on those services (buffer overflow for example), It's will be unsercure.. .
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh ^^^^^^^ I change to : nobody:x:65534:65534:nobody:/dev/null:/bin/falseThis might be bad cause AFAIK a few cronjobs change from their root uid to nobody via the su command. See your /var/log/syslog maybe you'll now get some errors from cron jobs at night.
I will pay attention , thx
Sven
Yoann