Re: Permissions on NFS mounts
On Thu, Dec 10, 2020 at 11:46:02AM +0200, Andrei POPESCU wrote:
> > Left alone, having unneeded users on a given machine could be a
> > security threat, at least in the sense that it provides a greater than
> > necessary attackable surface area. What can be done about that?
> > Obviously one thing would be setting the shell to /dev/null in the
> > password file of those machines that don't need a given user, to
> > prevent interactive logins. What else could be done? Is there a way to
> > put an account "beyond use", in any way including su, sudo etc, while
> > still having the machine recognise the user for being a user and
> > therefore not messing up the mapping of user IDs on shared resources
> > like NFS? In other words, create the sense of "yes this user exists,
> > but they are not welcome here"?
> passwd -l/--lock <username>
sudo -u <locked_user> /bin/bash -i
That little trick defeats "locked" account status, an absence of a
password and even /usr/sbin/nologin set as a default shell.