[ale] Service account allows sudo but no login

Jim Kinney jim.kinney at gmail.com
Tue Jul 30 13:30:03 EDT 2013


set account to be "disabled" by having password field in /etc/shadow to
'!!'. The shell can be what ever is needed to start service. If the service
needs no shell, set it to /sbin/nologin.

eg.:

# grep postgres /etc/passwd
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
# grep postgres /etc/shadow
postgres:!!:15824::::::


No user named postgres can login BUT (only) root _can_ su - postgres since
there is a shell.

These accounts can't be su'ed to :
# grep nologin /etc/passwd
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin

# su - bin
This account is currently not available.
# su - lp
This account is currently not available.




On Tue, Jul 30, 2013 at 12:28 PM, leam hall <leamhall at gmail.com> wrote:

> Is there a good security practice for service accounts? The goal is that
> an app can run as "myapp" but no one can login as myapp and myapp's
> password does not expire.
>
> So far best practice seems to be having a regular shell and no password,
> with specific people/groups allowed to sudo over.
>
> Thoughts?
>
> Leam
>
> --
> Mind on a Mission <http://leamhall.blogspot.com/>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>


-- 
-- 
James P. Kinney III
*
*Every time you stop a school, you will have to build a jail. What you gain
at one end you lose at the other. It's like feeding a dog on his own tail.
It won't fatten the dog.
- Speech 11/23/1900 Mark Twain
*
http://electjimkinney.org
http://heretothereideas.blogspot.com/
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130730/9db8f8a0/attachment.html>


More information about the Ale mailing list