7

Interestingly enough, on my Ubuntu derivative with nginx installed with apt, the www-data user has a shell:

$ cat /etc/passwd
www-data:x:33:33:www-data:/var/www:/bin/sh

Shouldn't this be set to something like /bin/false? Even though the user can't log in, isn't it dangerous to provide a shell for a system user like this by default?

Naftuli Kay
  • 1,708
  • 6
  • 24
  • 44
  • Not normally, but you may need it in your environment. Try setting it to `/bin/false` and see what breaks. If something does break document it and/or fix it. – Zoredache Dec 04 '13 at 22:43
  • Doesn't look like anything broke. – Naftuli Kay Dec 04 '13 at 22:46
  • 1
    If something was going to break it would probably be related to some cgi/php/perl/etc script trying to run a shell command for some reason. Which may be legitimate in some situations. – Zoredache Dec 04 '13 at 22:48
  • @Zoredache I'm pretty sure you can specify an alternate shell (something other than the login shell) for backtick or `system()` execution :) – voretaq7 Dec 04 '13 at 23:17
  • That does seem to be the default on ubuntu, so on the bright side, on one's changed it. – Journeyman Geek Dec 05 '13 at 02:52

1 Answers1

7

Well /bin/false (or /bin/true if you're a positive person) is a real shell - it's just not an interactive shell :-) There's also /sbin/nologin on some systems which serves the same purpose.

As to whether your Apache user needs an interactive shell (something like bash), the answer as others have said is "Usually, no."
Setting the Apache user's shell to something non-interactive is generally good security practice (really all service users who don't have to log in interactively should have their shell set to something that's non-interactive).

Tour an existing environment like yours, try it, and see if anything breaks.
If nothing breaks use the non-interactive shell from now on.
If stuff breaks try to fix it without restoring the interactive shell :-)

Jacob
  • 9,204
  • 4
  • 45
  • 56
voretaq7
  • 79,879
  • 17
  • 130
  • 214