2

After an upgrade on my server system I saw that the system added a user with name "Debian" to a lot of groups. I checked that it has no password set in /etc/shadow, so I think it's benign.

But just for completeness sake:

Where do I find information about how on a certain distro (let's begin with Debian, Fedora, Ubuntu) which system users should exist and what is more likely to be some unwanted guest?

Toby Speight
  • 8,678
user56452
  • 161
  • "After an upgrade on my server system" can you be more specific? – Chris Davies Dec 16 '21 at 13:19
  • "it has no passwd set in /etc/shadow" it's empty, or it's locked? – Chris Davies Dec 16 '21 at 13:19
  • @Braiam Your edit changes the question completely. Your edited version is a more answerable question — this question is really borderline in terms of not being too broad — but it's not what people have answered and it's not useful information for the asker. – Gilles 'SO- stop being evil' Dec 16 '21 at 19:28
  • 2
    The thirst field in /etc/shadow for that user can give you an indication as to when the user was created (date -d "@$((thatnumber * 86400)" +%F). Then, you can try and find what else happened on that day to see if that gives you any clue. – Stéphane Chazelas Dec 16 '21 at 19:55
  • @Gilles'SO-stopbeingevil' no, it removes the too broad aspects of it, while keeping the answers relevant. All answers boils down to "depends" anyways with examples. Anyways, users only knowledgeable with Debian will only be able to speak about Debian, so making it generic allows anyone with knowledge of any distro to answer it with specific examples, as long as they also answer the generic question. – Braiam Dec 17 '21 at 13:49
  • @Gilles'SO-stopbeingevil' also, you reintroduced the typo's that I fixed. – Braiam Dec 17 '21 at 13:51

3 Answers3

9

As your question suggests, the answer depends on the distribution being used. However in most cases I wouldn’t expect any system user to be a member of “a lot of groups”, and adm (in Debian) should only contain users (system or otherwise) which need access to system logs, for example logcheck.

The default groups in Debian are defined in base-passwd, and they are all empty (apart from users for which they are the primary group). Other system groups can be added dynamically by packages requiring them, following the framework defined in Debian Policy; there’s no canonical list of these groups.

See What are necessary users used for for a similar question on system users.

Your Debian user does seem suspicious to me. There are system users with names starting with Debian-, but I’m not aware of a system user named Debian exactly.

Stephen Kitt
  • 434,908
9

Where do I find information about how on a certain distro (Let's begin with Debian, Fedora, Ubuntu) what system users should exist and what is more likely to be some unwanted guest?

There's no easy answer to that, especially a cross-distribution answer. Compare with a minimal installation of the same version distribution with the same packages. Review the differences.

Note that if you upgraded from an earlier version, there may be extra system users and groups that are no longer used, but still present because the upgrader can't be sure that they're no longer used.

i saw that the system added a user with name "Debian" to a lot of groups

A legitimate user who's in a lot of groups would typically be a human account with privileges. This could be the initial user created during the installation or a user added later.

Debian does not create a user called Debian, and I imagine other distributions wouldn't either. Debian does create users and groups called Debian-something to run system services, but these would not be in “a lot of groups” (I'm not sure if there are any that are in anything but their default group).

I checked, that it has no passwd set in /etc/shadow, so i think it's benign.

Having no password in /etc/shadow doesn't make an account unusable. Most commonly, the account could have an SSH public key. Check .ssh/authorized_keys and .ssh/authorized_keys2 in the user's home directory as well as any other AuthorizedKeys… directive in /etc/sshd_config (or /etc/ssh/sshd_config or wherever your distribution puts it).

adm: group

Depending on the distribution and on local sysadmin preferences, this could be a group that's given root access via sudo. Check /etc/sudoers and /etc/sudoers.d/*.

If you're looking for a badly hidden backdoor (having something suspicious in /etc/group definitely counts as badly hidden), you need to check other things, like an alternative service listening to network logins, a setuid program somewhere, etc. Even if you don't find anything, keep in mind that the badly hidden part could be planted there by a competent attacker to give you a false sense of security when you find and fix it. If you're unsure whether your system has been breached, you need to nuke it from orbit.

But before you do that, check with your fellow admins to see if this is just a badly named manually created account.

Gilles 'SO- stop being evil'
  • 829,060
3

IMHO, there's nothing (at least, not on debian's user guide) listing service users / maintenance users.

Moreover, this list would vary depending on packages installed on your system:

  • OpenLDAP would add a slapd user and group.
  • FreeRadius would add a freerad user and group.
  • ...

Note that several users are installed by default (but not Debian one ;p)

Stephen Kitt
  • 434,908
binarym
  • 2,649