Don't give a shell to system users - use su

I seem very ancientwisdom-oriented these days.

Sometimes you've got a system user on your linux server that's used to run a specific service; it's a good practice to employ those users to achieve privilege separation, since it limits the impact of many security breaches. It's security 101, really.

If you've got a system user, most probably its shell would be /bin/false or /bin/nologin. Again, this is a good practice, since it would be harder for an attacker to gain shell access to your machine through that user.

But I find that many people just change such shell, because sometimes they need to customize the environment for a user, and if you try doing something like

su - systemuser  

you'll find yourself just back to your original shell, because su tries to invoke the shell which is set for the target user, and sudo doesn't generally help here, because its --shell option doesn't start a proper login shell for that user (most of the environment is that of the calling user).

Very well, gentlemen: this is a wrongdoing and a potential security hole. You should never enable a shell for your system users. Instead, you should leverage an option of su:

su - systemuser --shell /bin/bash  

That lets you choose your favourite shell on a per-launch basis.

Alan Franzoni

Read more posts by this author.

Trieste, Italy
comments powered by Disqus