<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000'><font face="arial, helvetica, sans-serif">Also, root can still su to an account with nologin using -s parameter:</font><div><font face="arial, helvetica, sans-serif"><br></font><div><div><font face="courier new, courier, monaco, monospace, sans-serif">guinness:~ # grep statd /etc/passwd</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">statd:x:493:65534:NFS statd daemon:/var/lib/nfs:/sbin/nologin</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">guinness:~ # grep statd /etc/shadow</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">statd:!:15770::::::</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">guinness:~ # su statd</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">This account is currently not available.</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">guinness:~ # su -s /bin/bash statd -c "id -a"</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">uid=493(statd) gid=65534(nogroup) groups=65534(nogroup)</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">guinness:~ # su -s /bin/bash - statd</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">statd@guinness:~> pwd</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">/var/lib/nfs</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">statd@guinness:~> logout</font></div><div><font face="courier new, courier, monaco, monospace, sans-serif">guinness:~ # </font></div><div style="font-family: arial, helvetica, sans-serif;"><br></div><div style="font-family: arial, helvetica, sans-serif;">This technique, especially with the -c param, is useful when writing /etc/init.d scripts to start/stop a service running as a service account with /sbin/nologin or /bin/false as a shell. That may be a bit old-school, as most of the init scripts seem to use startproc instead of su these days.</div><div style="font-family: arial, helvetica, sans-serif;"><br></div><div style="font-family: arial, helvetica, sans-serif;">OpenSUSE seems to populate /etc/shadow password with a single "!" instead of a double bang. I don't believe the bangs are special characters, but that no actual password will ever has into either one. You could probably just as well put "nope" in there. I see a lot of entries with "*" as the password and I expect it serves the same purpose.</div><div style="font-family: arial, helvetica, sans-serif;"><br></div><div style="font-family: arial, helvetica, sans-serif;">Scott</div><div><br></div><hr id="zwchr" style="font-family: arial, helvetica, sans-serif;"><div style="font-family: Helvetica, Arial, sans-serif; color: rgb(0, 0, 0); font-weight: normal; font-style: normal; text-decoration: none; font-size: 12pt;"><b>From: </b>"Jim Kinney" <jim.kinney@gmail.com><br><b>To: </b>"Atlanta Linux Enthusiasts" <ale@ale.org><br><b>Sent: </b>Tuesday, July 30, 2013 1:30:03 PM<br><b>Subject: </b>Re: [ale] Service account allows sudo but no login<br><br><div dir="ltr"><div><div><div>set account to be "disabled" by having password field in /etc/shadow to '!!'. The shell can be what ever is needed to start service. If the service needs no shell, set it to /sbin/nologin.<br>
<br></div>eg.:<br><br># grep postgres /etc/passwd<br>postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash<br># grep postgres /etc/shadow<br>postgres:!!:15824::::::<br><br><br></div>No user named postgres can login BUT (only) root _can_ su - postgres since there is a shell.<br>
<br></div>These accounts can't be su'ed to :<br># grep nologin /etc/passwd<br>bin:x:1:1:bin:/bin:/sbin/nologin<br>daemon:x:2:2:daemon:/sbin:/sbin/nologin<br>adm:x:3:4:adm:/var/adm:/sbin/nologin<br>lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin<br>
<br># su - bin<br>This account is currently not available.<br># su - lp<br>This account is currently not available.<br><br><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jul 30, 2013 at 12:28 PM, leam hall <span dir="ltr"><<a href="mailto:leamhall@gmail.com" target="_blank">leamhall@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Is there a good security practice for service accounts? The goal is that an app can run as "myapp" but no one can login as myapp and myapp's password does not expire. <br>
<br></div>So far best practice seems to be having a regular shell and no password, with specific people/groups allowed to sudo over. <br clear="all">
<div><div><br></div><div>Thoughts?<span class="HOEnZb"><font color="#888888"><br><br></font></span></div><span class="HOEnZb"><font color="#888888"><div>Leam<br><br></div><div>-- <br><div><a href="http://leamhall.blogspot.com/" target="_blank">Mind on a Mission</a></div>
</div></font></span></div></div>
<br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>-- <br>James P. Kinney III<br><i><i><i><i><br></i></i></i></i>Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.<br>
- Speech 11/23/1900 Mark Twain<br><i><i><i><i><br><a href="http://electjimkinney.org" target="_blank">http://electjimkinney.org</a><br><a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a><br>
</i></i></i></i>
</div>
<br>_______________________________________________<br>Ale mailing list<br>Ale@ale.org<br>http://mail.ale.org/mailman/listinfo/ale<br>See JOBS, ANNOUNCE and SCHOOLS lists at<br>http://mail.ale.org/mailman/listinfo<br></div><br></div></div></div></body></html>