[ale] Service account allows sudo but no login

Lightner, Jeff JLightner at water.com
Tue Jul 30 14:58:06 EDT 2013


That’s pretty much what we do here – grant sudo access to allow “sudo su -<user>” (and sudo <user>) for athe administrative user.

If the account’s main purpose is to allow multiple people to put or get files via sftp we set it up as scponly in a jail then create links into the jailed directory that our applications can write to or read from to either put files for the users to get or get files the users have put.   This insures the users can’t see anything on the server except what is in the jail.   (Of course being jailed the link has to be into rather than from it as any link from it would fail.)

Side note:  With our recent conversion from HP-UX to Linux we were finally able to get rid of old ftp accounts and force everyone to use WinSCP to sftp instead into servers if necessary.

From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Jim Kinney
Sent: Tuesday, July 30, 2013 1:30 PM
To: Atlanta Linux Enthusiasts
Subject: Re: [ale] Service account allows sudo but no login

set account to be "disabled" by having password field in /etc/shadow to '!!'. The shell can be what ever is needed to start service. If the service needs no shell, set it to /sbin/nologin.
eg.:

# grep postgres /etc/passwd
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
# grep postgres /etc/shadow
postgres:!!:15824::::::

No user named postgres can login BUT (only) root _can_ su - postgres since there is a shell.
These accounts can't be su'ed to :
# grep nologin /etc/passwd
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin

# su - bin
This account is currently not available.
# su - lp
This account is currently not available.


On Tue, Jul 30, 2013 at 12:28 PM, leam hall <leamhall at gmail.com<mailto:leamhall at gmail.com>> wrote:
Is there a good security practice for service accounts? The goal is that an app can run as "myapp" but no one can login as myapp and myapp's password does not expire.
So far best practice seems to be having a regular shell and no password, with specific people/groups allowed to sudo over.

Thoughts?
Leam
--
Mind on a Mission<http://leamhall.blogspot.com/>





_______________________________________________
Ale mailing list
Ale at ale.org<mailto:Ale at ale.org>
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo



--
--
James P. Kinney III

Every time you stop a school, you will have to build a jail. What you gain at one end you lose at the other. It's like feeding a dog on his own tail. It won't fatten the dog.
- Speech 11/23/1900 Mark Twain

http://electjimkinney.org
http://heretothereideas.blogspot.com/





Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer





How and Why I Should Support Bottled Water!
Do not relinquish your right to choose bottled water as a healthy alternative to beverages that contain sugar, calories, etc. Your support of bottled water will make a difference! Your signatures count! Go to http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a petition to support your right to always choose bottled water. Help fight federal and state issues, such as bottle deposits (or taxes) and organizations that want to ban the sale of bottled water. Support community curbside recycling programs. Support bottled water as a healthy way to maintain proper hydration. Our goal is 50,000 signatures. Share this petition with your friends and family today!



---------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130730/a27a53e7/attachment-0001.html>


More information about the Ale mailing list