DaemonForums  

Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 29th June 2011
CyberJet's Avatar
CyberJet CyberJet is offline
Real Name: Ramon
BSD Student
 
Join Date: Feb 2009
Location: Miami FL
Posts: 98
Thanked 0 Times in 0 Posts
Default purpose of system accounts?

Greetings to all,

Please forgive my ignorance,

What is the purpose for not wanting to start the login shell? I'm just trying to learn. Please explain.

Thank you,
Reply With Quote
  #2   (View Single Post)  
Old 29th June 2011
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 337
Thanked 32 Times in 30 Posts
Default

Sometimes you want to run a command as a system user (like 'www' or 'nobody'), which typically does not have (or need) a login shell for security reasons.
Reply With Quote
  #3   (View Single Post)  
Old 30th June 2011
CyberJet's Avatar
CyberJet CyberJet is offline
Real Name: Ramon
BSD Student
 
Join Date: Feb 2009
Location: Miami FL
Posts: 98
Thanked 0 Times in 0 Posts
Default

Thank You DutchDaemon!
Reply With Quote
  #4   (View Single Post)  
Old 30th June 2011
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,888
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by DutchDaemon View Post
Sometimes you want to run a command as a system user (like 'www' or 'nobody'), which typically does not have (or need) a login shell for security reasons.
Taking this one step further, many consider running applications through a system account to be more secure (by further limiting resource access...) than simply running an application as root (which can access everything...). Access separation is considered a good thing, & logging into such accounts is not necessary.
Reply With Quote
  #5   (View Single Post)  
Old 30th June 2011
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,075
Thanked 198 Times in 156 Posts
Default

^ What he said

Consider this shell script:
Code:
rm -rf "/${root}"
Now, because of a error in your script or some other reason, ${root} isn't set. The shell will continue happily, but now it executes:
Code:
rm -rf "/"
Whoops!
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.

Last edited by Carpetsmoker; 30th June 2011 at 04:52 PM.
Reply With Quote
  #6   (View Single Post)  
Old 30th June 2011
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 330
Thanked 9 Times in 9 Posts
Default

Imagine you have a small server application running. You can run it as root, some user with login shell, or some user without login shell.

Your server application gets hit with a buffer overflow attack (for example, it could get hit with any range of other attacks as well). The attack's payload is set to insert an ssh key into $HOME/.ssh/authorized_keys, meaning the attacker can then ssh to the host machine without a password.

As root, the attacker just compromised the entire machine. As normal user, the attacker can login then launch priv. escalation attacks to gain root. As user w/nologin, the attacker is stuck out in the cold.

Make sense?
__________________
Linux Admin by Profession. OpenBSD user by choice.

Last edited by rocket357; 30th June 2011 at 03:19 PM.
Reply With Quote
  #7   (View Single Post)  
Old 30th June 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,717
Thanked 214 Times in 189 Posts
Default

Example application -- a database engine. The administrative userid is typically NOT root, but is postgresql, or mysql, or whatever. On OpenBSD, these system userids typically start with underscore, such as _postgresql. The startup scripts will use sudo or su to bring up the associated daemons, such as:
Code:
su -l _postgresql -c "nohup /usr/local/bin/pg_ctl start \
        -D /var/postgresql/data -l /var/postgresql/logfile \
        -o '-D /var/postgresql/data' >/dev/null"
(It is, of course, best practice to NEVER have your database servers exposed to the Internet. But problems can also occur from inside one's network. Is everybody trusted? Even if they are, did one of them accidentally do something that enabled a remote vector in by an external attacker?)
Reply With Quote
  #8   (View Single Post)  
Old 30th June 2011
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Not enough explanations or examples, keep going.
Reply With Quote
  #9   (View Single Post)  
Old 30th June 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,717
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by BSDfan666 View Post
Not enough explanations or examples, keep going.
Reply With Quote
Old 1st July 2011
CyberJet's Avatar
CyberJet CyberJet is offline
Real Name: Ramon
BSD Student
 
Join Date: Feb 2009
Location: Miami FL
Posts: 98
Thanked 0 Times in 0 Posts
Default

Greetings to all!

Ocicat, "www" and "nobody" are system users? I thought that www was a service and nobody someone trying to break into my system.

Can you please show me an example of how you will use "www" and "nobody" to do something useful.

Thanks
Reply With Quote
Old 1st July 2011
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,888
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by CyberJet View Post
Ocicat, "www" and "nobody" are system users?
Look at the output of the following commands on OpenBSD:
Code:
$ cat /etc/passwd | grep www
www:*:67:67:HTTP Server:/var/www:/sbin/nologin
$ cat /etc/passwd | grep nobody
nobody:*32767:32767:Unpriviledged user for NFS:/nonexistent:/sbin/nologin
$
As for the name of OpenBSD's default Web server, look at httpd(8).
Quote:
Can you please show me an example of how you will use "www" and "nobody" to do something useful.
  • What resources should a Web server be able to access?
  • As for NFS, you might benefit from reading the FAQ's discussion on NFS in Section 6.7.
Reply With Quote
Old 1st July 2011
CyberJet's Avatar
CyberJet CyberJet is offline
Real Name: Ramon
BSD Student
 
Join Date: Feb 2009
Location: Miami FL
Posts: 98
Thanked 0 Times in 0 Posts
Default

Thank you, I'll be reading the discussion.

Regards
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Managing multi platform accounts bsdperson FreeBSD General 1 27th August 2010 11:46 AM
Create MS/XP file system so it will be recognized on a XP system. FBSD Guides 0 1st May 2010 06:49 AM
Can't passwd on all accounts anymore ck2323 FreeBSD General 1 7th October 2009 03:28 AM
Is there a purpose for using pf if you have a hardware router/firewall? guitarscn OpenBSD Security 9 23rd January 2009 12:22 AM
New Accounts Unable to Authenticate cmdba FreeBSD General 4 26th May 2008 01:48 AM


All times are GMT. The time now is 06:16 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick