PDA

View Full Version : locking linux services account



asafmgn
08-Jan-2017, 12:43
Ive been asked to harden my linux clients by disabling the login shell to unwanted services. For example the services below were configured by default with bash shell in SLES12 SP2 installation. Im not sure about the impact if I will do this changes on the system.

Is it safe to reconfigure them with something like /sbin/nologin or /bin/false ?

at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
news:x:9:13:News system:/etc/news:/bin/bash
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash

ab
09-Jan-2017, 00:58
Do you know that, unless you set a password, you cannot login as these
users? Their shell is not relevant unless you can either become the user
via a password (should not be set, but you can check /etc/shadow to verify
there is no password set, assuming you only use local files as you should
for these accounts) or unless you are 'root' (in which case all bets are
off; don't give out 'root' credentials to untrustworthy folks).

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...