[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Permissions on NFS mounts


On Thu, Dec 10, 2020 at 11:46:02AM +0200, Andrei POPESCU wrote:
> > Left alone, having unneeded users on a given machine could be a 
> > security threat, at least in the sense that it provides a greater than 
> > necessary attackable surface area. What can be done about that? 
> > Obviously one thing would be setting the shell to /dev/null in the 
> > password file of those machines that don't need a given user, to 
> > prevent interactive logins. What else could be done? Is there a way to 
> > put an account "beyond use", in any way including su, sudo etc, while 
> > still having the machine recognise the user for being a user and 
> > therefore not messing up the mapping of user IDs on shared resources 
> > like NFS? In other words, create the sense of "yes this user exists, 
> > but they are not welcome here"?
> passwd -l/--lock <username>

sudo -u <locked_user> /bin/bash -i

That little trick defeats "locked" account status, an absence of a
password and even /usr/sbin/nologin set as a default shell.


Reply to: