[ale] Service account allows sudo but no login

Scott Plante splante at insightsys.com
Tue Jul 30 15:05:31 EDT 2013 

Also, root can still su to an account with nologin using -s parameter: 



guinness:~ # grep statd /etc/passwd 
statd:x:493:65534:NFS statd daemon:/var/lib/nfs:/sbin/nologin 
guinness:~ # grep statd /etc/shadow 
statd:!:15770:::::: 
guinness:~ # su statd 
This account is currently not available. 
guinness:~ # su -s /bin/bash statd -c "id -a" 
uid=493(statd) gid=65534(nogroup) groups=65534(nogroup) 
guinness:~ # su -s /bin/bash - statd 
statd at guinness:~> pwd 
/var/lib/nfs 
statd at guinness:~> logout 
guinness:~ # 


This technique, especially with the -c param, is useful when writing /etc/init.d scripts to start/stop a service running as a service account with /sbin/nologin or /bin/false as a shell. That may be a bit old-school, as most of the init scripts seem to use startproc instead of su these days. 


OpenSUSE seems to populate /etc/shadow password with a single "!" instead of a double bang. I don't believe the bangs are special characters, but that no actual password will ever has into either one. You could probably just as well put "nope" in there. I see a lot of entries with "*" as the password and I expect it serves the same purpose. 


Scott 

----- Original Message -----

From: "Jim Kinney" <jim.kinney at gmail.com> 
To: "Atlanta Linux Enthusiasts" <ale at ale.org> 
Sent: Tuesday, July 30, 2013 1:30:03 PM 
Subject: Re: [ale] Service account allows sudo but no login 





set account to be "disabled" by having password field in /etc/shadow to '!!'. The shell can be what ever is needed to start service. If the service needs no shell, set it to /sbin/nologin. 

eg.: 

# grep postgres /etc/passwd 
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash 
# grep postgres /etc/shadow 
postgres:!!:15824:::::: 


No user named postgres can login BUT (only) root _can_ su - postgres since there is a shell. 

These accounts can't be su'ed to : 
# grep nologin /etc/passwd 
bin:x:1:1:bin:/bin:/sbin/nologin 
daemon:x:2:2:daemon:/sbin:/sbin/nologin 
adm:x:3:4:adm:/var/adm:/sbin/nologin 
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin 

# su - bin 
This account is currently not available. 
# su - lp 
This account is currently not available. 






On Tue, Jul 30, 2013 at 12:28 PM, leam hall < leamhall at gmail.com > wrote: 




Is there a good security practice for service accounts? The goal is that an app can run as "myapp" but no one can login as myapp and myapp's password does not expire. 

So far best practice seems to be having a regular shell and no password, with specific people/groups allowed to sudo over. 




Thoughts? 


Leam 


-- 

Mind on a Mission 
_______________________________________________ 
Ale mailing list 
Ale at ale.org 
http://mail.ale.org/mailman/listinfo/ale 
See JOBS, ANNOUNCE and SCHOOLS lists at 
http://mail.ale.org/mailman/listinfo 






-- 
-- 
James P. Kinney III 

Every time you stop a school, you will have to build a jail. What you gain at one end you lose at the other. It's like feeding a dog on his own tail. It won't fatten the dog. 
- Speech 11/23/1900 Mark Twain 

http://electjimkinney.org 
http://heretothereideas.blogspot.com/ 

_______________________________________________ 
Ale mailing list 
Ale at ale.org 
http://mail.ale.org/mailman/listinfo/ale 
See JOBS, ANNOUNCE and SCHOOLS lists at 
http://mail.ale.org/mailman/listinfo 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130730/acdab202/attachment.html>

More information about the Ale mailing list