on a Linux system there are lot's of users by default: daemon, bin, sys, games, etc.
According to my /etc/passwd most of these users have a shell assigned (/bin/sh) which seems some kind of insecure to me. My naive thinking would say: Only give those users a shell that may login to the server.
Is my thinking wrong?
If not completely wrong: Can I disable the shell for "daemon" and "www-data" without having side effects (e.g. the system wont start or the Apache PHP cannot excute system calls)?
Added: My distribution is a Debian Squeeze.
Thanks for your hints!
Best Answer
I am curious what Linux distribution you are seeing this in, because most distributions that I know of (and I just verified this on CentOS and Gentoo) have the shell for such users "disabled" as you are describing.
So, yes, it is safe to set the shell to
/bin/false
or/sbin/nologin
. But maybe first figure out why they are not set to that value in the first place. Maybe this is something specific for the system that you are looking at.For Debian (as I see mentioned in the first comment) there is this other question that might be relevant. You can see that other people, too, consider this a bug (bug 274229, bug 581899, bug 330882)