<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<!-- Template generated by Exclaimer Mail Disclaimers on 02:58:07 Tuesday, 30 July 2013 -->
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css">P.3a2ecc6e-67ce-41ad-86a4-be45ea4894ed {
MARGIN: 0cm 0cm 0pt
}
LI.3a2ecc6e-67ce-41ad-86a4-be45ea4894ed {
MARGIN: 0cm 0cm 0pt
}
DIV.3a2ecc6e-67ce-41ad-86a4-be45ea4894ed {
MARGIN: 0cm 0cm 0pt
}
TABLE.3a2ecc6e-67ce-41ad-86a4-be45ea4894edTable {
MARGIN: 0cm 0cm 0pt
}
DIV.Section1 {
page: Section1
}
</style>
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.hoenzb
{mso-style-name:hoenzb;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<p class="3a2ecc6e-67ce-41ad-86a4-be45ea4894ed"></p>
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">That’s pretty much what we do here – grant sudo access to allow “sudo su -<user>” (and sudo <user>) for athe administrative user.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">If the account’s main purpose is to allow multiple people to put or get files via sftp we set it up as scponly in a jail then create links into the jailed directory
that our applications can write to or read from to either put files for the users to get or get files the users have put. This insures the users can’t see anything on the server except what is in the jail. (Of course being jailed the link has to be into
rather than from it as any link from it would fail.)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Side note: With our recent conversion from HP-UX to Linux we were finally able to get rid of old ftp accounts and force everyone to use WinSCP to sftp instead
into servers if necessary.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> ale-bounces@ale.org [mailto:ale-bounces@ale.org]
<b>On Behalf Of </b>Jim Kinney<br>
<b>Sent:</b> Tuesday, July 30, 2013 1:30 PM<br>
<b>To:</b> Atlanta Linux Enthusiasts<br>
<b>Subject:</b> Re: [ale] Service account allows sudo but no login<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">set account to be "disabled" by having password field in /etc/shadow to '!!'. The shell can be what ever is needed to start service. If the service needs no shell, set it to /sbin/nologin.<o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">eg.:<br>
<br>
# grep postgres /etc/passwd<br>
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash<br>
# grep postgres /etc/shadow<br>
postgres:!!:15824::::::<br>
<br>
<o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">No user named postgres can login BUT (only) root _can_ su - postgres since there is a shell.<o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">These accounts can't be su'ed to :<br>
# grep nologin /etc/passwd<br>
bin:x:1:1:bin:/bin:/sbin/nologin<br>
daemon:x:2:2:daemon:/sbin:/sbin/nologin<br>
adm:x:3:4:adm:/var/adm:/sbin/nologin<br>
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin<br>
<br>
# su - bin<br>
This account is currently not available.<br>
# su - lp<br>
This account is currently not available.<br>
<br>
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Tue, Jul 30, 2013 at 12:28 PM, leam hall <<a href="mailto:leamhall@gmail.com" target="_blank">leamhall@gmail.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Is there a good security practice for service accounts? The goal is that an app can run as "myapp" but no one can login as myapp and myapp's password does not expire.
<o:p></o:p></p>
</div>
<p class="MsoNormal">So far best practice seems to be having a regular shell and no password, with specific people/groups allowed to sudo over.
<br clear="all">
<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Thoughts?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="color:#888888">Leam<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:#888888">-- <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><a href="http://leamhall.blogspot.com/" target="_blank">Mind on a Mission</a><span style="color:#888888"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
</p>
</div>
</div>
</div>
<p></p>
<p class="3a2ecc6e-67ce-41ad-86a4-be45ea4894ed"> </p>
<p class="3a2ecc6e-67ce-41ad-86a4-be45ea4894ed"> </p>
<p class="3a2ecc6e-67ce-41ad-86a4-be45ea4894ed"></p>
<div class="WordSection1">
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<br>
-- <br>
-- <br>
James P. Kinney III<br>
<i><br>
</i>Every time you stop a school, you will have to build a jail. What you gain at one end you lose at the other. It's like feeding a dog on his own tail. It won't fatten the dog.<br>
- Speech 11/23/1900 Mark Twain<br>
<i><br>
</i><a href="http://electjimkinney.org" target="_blank"><i>http://electjimkinney.org</i></a><i><br>
</i><a href="http://heretothereideas.blogspot.com/" target="_blank"><i>http://heretothereideas.blogspot.com/</i></a><o:p></o:p></p>
</div>
</div>
<p></p>
<p class="3a2ecc6e-67ce-41ad-86a4-be45ea4894ed"><font face="Arial"><font color="fuchsia"><font style="FONT-FAMILY: Arial; FONT-SIZE: 10pt" size="2"></font></font></font> </p>
<p class="3a2ecc6e-67ce-41ad-86a4-be45ea4894ed"> </p>
<p class="3a2ecc6e-67ce-41ad-86a4-be45ea4894ed"><font face="Arial"><font color="fuchsia"><font style="FONT-FAMILY: Arial; FONT-SIZE: 10pt" size="2">Athena<font size="1">®</font>, Created for the Cause</font><font size="1">™
</font></font></font></p>
<p class="3a2ecc6e-67ce-41ad-86a4-be45ea4894ed"><font size="2" face="Arial">Making a Difference in the Fight Against Breast Cancer</font></p>
<p class="3a2ecc6e-67ce-41ad-86a4-be45ea4894ed"><font size="2" face="Arial"></font> </p>
<p class="3a2ecc6e-67ce-41ad-86a4-be45ea4894ed"><font size="2" face="Arial"></font> </p>
<p class="3a2ecc6e-67ce-41ad-86a4-be45ea4894ed"><font face="Arial"><font size="2"><strong>How and Why I Should Support Bottled Water!<br>
</strong>Do not relinquish your right to choose bottled water as a healthy alternative to beverages that contain sugar, calories, etc. Your support of bottled water will make a difference! Your signatures count! Go to
<a href="http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters">http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters</a> and sign a petition to support your right to always choose bottled water. Help fight federal and state issues,
such as bottle deposits (or taxes) and organizations that want to ban the sale of bottled water. Support community curbside recycling programs. Support bottled water as a healthy way to maintain proper hydration. Our goal is 50,000 signatures. Share this petition
with your friends and family today!</font></font></p>
<p class="3a2ecc6e-67ce-41ad-86a4-be45ea4894ed"><font size="2" face="Arial"></font> </p>
<p class="3a2ecc6e-67ce-41ad-86a4-be45ea4894ed"><span style="FONT-FAMILY: Arial; FONT-SIZE: 10pt">---------------------------------<br>
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information
is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.<br>
----------------------------------</span><span style="FONT-FAMILY: 'Courier New'; FONT-SIZE: 9pt"><o:p></o:p></span></p>
<p> </p>
<p></p>
<p></p>
</body>
</html>