You are not logged in.

#1 2004-11-23 05:13:52

darkcoder
Member
From: A bar near you
Registered: 2004-09-10
Posts: 310

Concern about security of non user accounts (services)

Many linux distribution (also Solaris) assign /bin/false or /bin/nologin as a shell for accounts dedicated to services like web, ftp, samba, among others.  I saw that Arch do not directly assign a shell for these kind of accounts.  I would like to know (1) Arch provides another method of security or (2) /bin/false is the default for accounts that do not specify a shell ( which I doubt it).

Offline

#2 2004-11-23 05:48:54

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,615
Website

Re: Concern about security of non user accounts (services)

useradd -D
the above command will list the defaults. So, if no shell is specified, this is what will be used (shows in the output of useradd).

you can set the default shell my doing
useradd -D -s /bin/false

I don't know why daemon user accounts do not have this set, as it should be...
Good job noticing, as this slipped my notice. *kicks himself*
Although, upon viewing my /etc/passwd file, it looks like a few of the daemons have actually added the user accounts properly. (mysql has /bin/false as the shell).
I suppose it is a matter of proper useradd scripts in the packages.


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#3 2004-11-23 06:04:50

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,615
Website

Re: Concern about security of non user accounts (services)

I have also notice some oddities.
-Like /etc/sshd_config is world readable by default
-there is no sshd user, so privelege seperation is not occuring (don't know this for sure, just noticed there was no sshd user setup by the sshd package).


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#4 2004-11-23 22:12:17

darkcoder
Member
From: A bar near you
Registered: 2004-09-10
Posts: 310

Re: Concern about security of non user accounts (services)

My computer is a personal one, so I do not have any daemon server installed, but from a clean 0.7 install the following accounts do not define a shell:  bin, daemon, mail, ftp, nobody.

Other services like apache, mysql, bind and others may include the same problem on its accounts, maybe not.

Again, dunno if Arch includes another way of security, but since everyone else (I mean distro) already made those changes to its daemon accounts  long time ago, It will not harm to us do the same.

Also I read somewhere that the recommended security measure is to not have accounts of services not installed at all, and that's apparently the approach Arch developers are using, at least when comparing our /etc/passwd with the ones of RH/Fedora, Gentoo.

Offline

#5 2004-11-23 22:42:59

phrakture
Arch Overlord
From: behind you
Registered: 2003-10-29
Posts: 7,879
Website

Re: Concern about security of non user accounts (services)

good catch... I'll fix this up on my home comp when i get a chance

Offline

#6 2004-11-24 00:56:43

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,615
Website

Re: Concern about security of non user accounts (services)

any conjecture on the lack of sshd user?
Is the preferred, or is it an issue that needs to be fixed? Ie. Does it effect  privelege seperation for sshd?


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#7 2004-11-24 14:02:38

Michel
Member
From: Belgium
Registered: 2004-07-31
Posts: 286

Re: Concern about security of non user accounts (services)

Hey,

are there any scripts for adding a user avilable? Else, I want to welcome evryone to improve the code I wrote for this purpose. It needs some tweaking however ... maybe there is a better way:

http://bbs.archlinux.org/viewtopic.php?t=7723

Offline

#8 2004-11-24 16:32:55

darkcoder
Member
From: A bar near you
Registered: 2004-09-10
Posts: 310

Re: Concern about security of non user accounts (services)

dunno, but you can look at PKGBUILD of other daemons like postfix, mysql.

Offline

Board footer

Powered by FluxBB