Is it customary and usual for User nobody to have /bin/bash as a shell? It seems that Opensuse is the only linux I have that allows this. Most have nologin or /bin/false. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Op maandag 14 mei 2018 00:14:36 CEST schreef John Andersen:
Is it customary and usual for User nobody to have /bin/bash as a shell? It seems that Opensuse is the only linux I have that allows this.
Most have nologin or /bin/false. IIRC it's been like that for ages. Question: did you try to login as user nobody? If you can't ......
-- Gertjan Lettink a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/13/2018 03:20 PM, Knurpht @ openSUSE wrote:
Op maandag 14 mei 2018 00:14:36 CEST schreef John Andersen:
Is it customary and usual for User nobody to have /bin/bash as a shell? It seems that Opensuse is the only linux I have that allows this.
Most have nologin or /bin/false. IIRC it's been like that for ages. Question: did you try to login as user nobody? If you can't ......
I can't directly log in because I don't know the password. But it stops and asks for one. This sequence does yield a shell as user nobody: sudo -s su nobody So now I have a shell as nobody. Of course, I had root, so you say its sort of a false test, but still that DOES NOT work on any other linux that I am aware of. The oldest opensuse I have access to allows a shell for nobody. SLES allows a shell for nobody. But none other do. I wonder if it slipped into the distro a long time ago, and was simply forgotten? Admittedly not much uses "nobody" routinely any more. In days past portmap used to run as nobody, and further in the past several daemons used to run that way. Now I suspect it is purely transient things. There may be a risk that something running as nobody could be crashed to a shell. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/13/2018 06:37 PM, John Andersen wrote:
I can't directly log in because I don't know the password. But it stops and asks for one.
This sequence does yield a shell as user nobody:
sudo -s su nobody
So now I have a shell as nobody.
Of course, I had root, so you say its sort of a false test, but still that DOES NOT work on any other linux that I am aware of.
Since you're root, you can always assign a password and try again. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 13/05/18 06:14 PM, John Andersen wrote:
Most have nologin or /bin/false.
Next Up: "why do some have 'nologin' and some have 'false'?" -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Anton Aylward wrote:
On 13/05/18 06:14 PM, John Andersen wrote:
Most have nologin or /bin/false.
Next Up: "why do some have 'nologin' and some have 'false'?"
/sbin/nologin is more polite, and you can customise the message. /usr/bin/false says nothing. -- Per Jessen, Zürich (10.6°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 14/05/18 03:29 AM, Per Jessen wrote:
Anton Aylward wrote:
On 13/05/18 06:14 PM, John Andersen wrote:
Most have nologin or /bin/false.
Next Up: "why do some have 'nologin' and some have 'false'?"
/sbin/nologin is more polite, and you can customise the message. /usr/bin/false says nothing.
100% true and accurate and 50% not answering the intent of my question Column 1: "nologin" accounts nscd vnc polkitd scard rpc pulse statd nm-openvpn colord qemu usbmux systemd-timesync lirc systemd-network systemd-bus-proxy Column 2: "false" accounts mail wwwrun avahi-autoipd messagebus ntp tftp dnsmasq sshd rtkit postfix avahi sddm mysql kdm fetchmail dovecot dovenull If pressed, I could justify a few, *perhaps*, of the "false", but then there are some in the 'nologin' column that I think should be in the 'false' and vice versa. Many years ago there was a paper that impressed me: "Life without root[1]". It was about how auxiliary login accounts could be used to delegate functions that are normally reserved for root. The paper described administration of printers and of UUCP, which tells you it comes from a century ago! Perhaps some of these are suitable for that kind of administration? [1] LISA IV, Colorado Springs, October 1990. Steve Simmons, ITI. Abstract: "Often the people most qualified to perform certain system administration tasks are not necessarily qualified to have root access in general. This paper will discuss the rationale and methods for having non-root accounts do some types of systems administration. We will discuss two subsystems which we are currently administering without root and apply that experience to suggest some general rules. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 14/05/18 01:34, Anton Aylward wrote:
On 13/05/18 06:14 PM, John Andersen wrote:
Most have nologin or /bin/false.
Next Up: "why do some have 'nologin' and some have 'false'?"
false always returns an error as true always returns success. They've got nothing to do with login. Dave P -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-05-14 00:14, John Andersen wrote:
Is it customary and usual for User nobody to have /bin/bash as a shell? It seems that Opensuse is the only linux I have that allows this.
Most have nologin or /bin/false.
But in openSUSE there are some jobs that are done as "nobody", and that probably needs a shell and a home. cer@Telcontar:~> grep nobody /etc/passwd nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash cer@Telcontar:~> cer@Telcontar:~> l /var/lib/nobody total 12 drwxr-xr-x 2 nobody root 4096 May 10 2017 ./ drwxr-xr-x 113 root root 4096 May 12 14:24 ../ -rw------- 1 nobody nobody 404 Oct 27 2014 .bash_history cer@Telcontar:~> -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
On 05/13/2018 08:49 PM, Carlos E. R. wrote:
Is it customary and usual for User nobody to have /bin/bash as a shell? It seems that Opensuse is the only linux I have that allows this.
Most have nologin or /bin/false. But in openSUSE there are some jobs that are done as "nobody", and that
On 2018-05-14 00:14, John Andersen wrote: probably needs a shell and a home.
Like what jobs, for example? Is there any files setuid for nobody?
sudo find / -user nobody -perm -4000 -exec ls -ldb {} \; >/tmp/filename sudo cat /tmp/filename
Nope. So maybe a daemon of some sort needs to be run from a shell?
sudo ps -u nobody
Nothing found. I have Another old linux box in the corner still runs portmap as user nobody but its just a print server, and it probably shouldn't be running portmap at all. It runs with no shell, no terminal. Running daemons as nobody is frowned upon these days, and has been for quite a while. But you say you know of some jobs that must be done as nobody?? -- After all is said and done, more is said than done.
On 2018-05-14 10:25, John Andersen wrote:
On 05/13/2018 08:49 PM, Carlos E. R. wrote:
Is it customary and usual for User nobody to have /bin/bash as a shell? It seems that Opensuse is the only linux I have that allows this.
Most have nologin or /bin/false. But in openSUSE there are some jobs that are done as "nobody", and that
On 2018-05-14 00:14, John Andersen wrote: probably needs a shell and a home.
Like what jobs, for example?
updatedb See file "/etc/sysconfig/locate". -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
On 05/13/2018 05:14 PM, John Andersen wrote:
Is it customary and usual for User nobody to have /bin/bash as a shell? It seems that Opensuse is the only linux I have that allows this.
Most have nologin or /bin/false.
It maybe on openSuSE, my Leap 42.3 is, but not generally, e.g. Arch has /usr/bin/nologin -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 14.05.2018 00:14, John Andersen wrote:
Is it customary and usual for User nobody to have /bin/bash as a shell? It seems that Opensuse is the only linux I have that allows this.
Most have nologin or /bin/false.
nobody is used for root_squash in NFS usually. See here: http://fullyautolinux.blogspot.de/2015/11/nfs-norootsquash-and-suid-basic-nf... But since exploiting suid binaries does not require a login, setting the shell to false/nologin does not change the security level.
participants (10)
-
Anton Aylward -
Carlos E. R. -
Carlos E. R. -
Dave Plater -
David C. Rankin -
Florian Gleixner -
James Knott -
John Andersen -
Knurpht @ openSUSE -
Per Jessen