1

I have just read about how to disable shell access for users in Ubuntu in this post for security reasons. Is it safe to disable shell access to all users listed in /etc/passwd except the root:x:0:0 and another specific user, say tom:x:1000:1000?

For example, if I disable shell for the default users coming with the installation of the operating system such as daemon, bin, sys, sync, games, man, lp, mail, news, and uucp (and many others not listed here), may this cause any issue?

Community
  • 1
specstr
  • 111
  • No, you shouldn't, because it may be required by certain programs and may later be needed to repair damage to the account. – John Militer Apr 26 '16 at 23:22

3 Answers3

1

I don't know if it's safe, since there may be programs that require it, but I do know it's not necessary. These users already have login access disabled by way of not having passwords, so there's no need to change the shell.

John
  • 17,011
  • Thanks for the answer. In /etc/passwd almost all users seem to be assigned /bin/bash or /bin/sh, but that does not mean they have shell access as they don't have passwords. Is this right? – specstr Dec 29 '15 at 14:31
  • Not quite. Even without a valid password, I can su to the bin user from root and get shell access. I have no direct login access to the bin user, though, which is what is important. – John Dec 29 '15 at 14:40
0

I guess you mean the login shell. It is already disabled wherever it is not needed , you can see it is something like /usr/sbin/nologin or /bin/false

Only root has the shell /bin/bash or some other user account that we ourselves create for longing in into the system.

Ijaz Ahmad
  • 7,202
  • As I just commented to John's answer, almost all of the default users (which were not created by us) are assigned to either /bin/bash or /bin/sh. I never changed the shells for these users since the installation of the OS. Does that mean that those shell assignments are deafult and needed for the OS? – specstr Dec 29 '15 at 14:39
0

The reason is simple.

These users like daemon, bin, sys, sync, games, man, lp, mail, news, and uucp are not interactive users. They are intended for some special perposes, like running a daemon(web server for example), and are not intended to run another program.

So basically they shouldn't have interactive shell.

linerd
  • 167
  • 2
  • 9