Security – Does www-data user need a real shell

Securityuser-accounts

Interestingly enough, on my Ubuntu derivative with nginx installed with apt, the www-data user has a shell:

$ cat /etc/passwd
www-data:x:33:33:www-data:/var/www:/bin/sh

Shouldn't this be set to something like /bin/false? Even though the user can't log in, isn't it dangerous to provide a shell for a system user like this by default?

Best Answer

Well /bin/false (or /bin/true if you're a positive person) is a real shell - it's just not an interactive shell :-) There's also /sbin/nologin on some systems which serves the same purpose.

As to whether your Apache user needs an interactive shell (something like bash), the answer as others have said is "Usually, no."
Setting the Apache user's shell to something non-interactive is generally good security practice (really all service users who don't have to log in interactively should have their shell set to something that's non-interactive).

Tour an existing environment like yours, try it, and see if anything breaks.
If nothing breaks use the non-interactive shell from now on.
If stuff breaks try to fix it without restoring the interactive shell :-)

Related Solutions

Linux – LAMP setup + FTP – problem with user privileges

Referring to the VSFTPD man page conf (http://vsftpd.beasts.org/vsftpd_conf.html), in your vsftpd.conf file, there is a configuration setting called local_umask.

By default, it is 077, which is what produces your -rw------- permission. To give every file a -rw-r--r-- permission, set local_umask to 022.

Remember to restart your vsftpd server once you change the conf file.

Security – Apache service server demon priviiges (with respect to web directory structure, permissions and security)

If you're having trouble changing the group on the folder, make sure that you're root. You can't change the group of a folder or file unless you are the owner and in the group, or you're the superuser.

Ditch the admin GUI and open a shell. (Terminal, xterm, etc.)

chgrp www-data /home/morpheous/work/websites/testproject
chmod 2770 /home/morpheous/work/websites/testproject

# Set mode rwxrws--- the '2' sets the 's' sticky bit,
# which causes all files and folders created in "project"
# to inherit the same group.

(This may not be the best way to configure this specific app, but I think it's a reasonable guess. I'd also recommend moving that out of your home directory... that just complicates trying to keep your personal home directory secure while giving the webserver access to write to part of it.)

As for keeping Apache from serving up files in those directories, that's already done... your document root is defined as project/web. That only gives access to files at that point and below... the log and cache folders are already excluded.

Best Answer

Related Solutions

Linux – LAMP setup + FTP – problem with user privileges

Security – Apache service server demon priviiges (with respect to web directory structure, permissions and security)

Related Topic