You are not logged in.

Pages: 1

#1 2005-05-09 17:38:19

sweiss
Member
Registered: 2004-02-16
Posts: 635

Extra usernames - are they needed?

I had a look at /etc/passwd and saw a lot of usernames which I've no idea what they are used for:

bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
mail:x:8:12:mail:/var/spool/mail:
ftp:x:14:11:ftp:/home/ftp:
nobody:x:99:99:nobody:/:

Can someone explain what are all these usernames for? Can I make their shell /sbin/nologin or do they need a shell?

Thanks in advance.

Some PKGBUILDs: http://members.lycos.co.uk/sweiss3

Offline

#2 2005-05-09 20:25:41

lucke
Member
From: Poland
Registered: 2004-11-30
Posts: 4,018

Re: Extra usernames - are they needed?

Well, they're just users created for the needs of running different daemons. It seems that in Arch bin is used by portmap, nobody by samba/http, ftp and mail are self-explanatory. daemon is probably used by some daemon as well, as the name indicates ;-)

They don't need to have shell defined (including /bin/false - there's no /sbin/nologin in Arch), because their passwords are blank and passwordless logins ought to be forbidden. Or something like that ;-)

It wouldn't hurt to add /bin/false as their shell to be utterly sure noone's gonna break into that account, but I remember I had some problems with vsftpd (or was it pure-ftpd) with ftp account using /bin/false.

Offline

#3 2005-05-09 20:57:25

LB06
Member
From: The Netherlands
Registered: 2003-10-29
Posts: 435

Re: Extra usernames - are they needed?

It is safer to run a daemon as a non-root user. If an intruder, in case of an exploit, manages to break into the system, he(m/f) will not have superuser rights.

Offline

#4 2005-05-10 10:50:44

sweiss
Member
Registered: 2004-02-16
Posts: 635

Re: Extra usernames - are they needed?

lucke wrote:

Well, they're just users created for the needs of running different daemons. It seems that in Arch bin is used by portmap, nobody by samba/http, ftp and mail are self-explanatory. daemon is probably used by some daemon as well, as the name indicates ;-)

They don't need to have shell defined (including /bin/false - there's no /sbin/nologin in Arch), because their passwords are blank and passwordless logins ought to be forbidden. Or something like that ;-)

It wouldn't hurt to add /bin/false as their shell to be utterly sure noone's gonna break into that account, but I remember I had some problems with vsftpd (or was it pure-ftpd) with ftp account using /bin/false.

Oh, I see. In that case, I'd leave it as is. I was wondering what's Arch's equivalent to /sbin/nologin, thanks for that.

Thank you both for the explanations.

Some PKGBUILDs: http://members.lycos.co.uk/sweiss3

Offline

Pages: 1

Board footer

Powered by FluxBB