<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>So a little more on this at a lower level, in the event that anyone is interested. I had a hard time wrapping my head around the concept originally and I can't imagine that I am alone there. </div><div><br></div><div>User accounts and their ID numbers are nothing more than an agreement between user space and kernel space. For example, it is possible to hand UID numbers out and attach them to files and other objects, even when the user doesn't exist. A program running as root need not authenticate a user---or may authenticate a user by some means other than the system default---before handing a process that credential to be its very own. </div><div><br></div><div>With the UID space being 32-bits wide now, it can be used for things such as assigning identifiers in a cryptographic manner that can be verified by another system (and allow for uids to be tied together at a higher level).</div><div><br></div><div>The most important part is that to the kernel, it is just a number. Nothing more. It is nothing special. And for that matter, this is how it is on virtually all multiuser systems. The UID is something that is created and provisioned by a user space application, but managed and checked by the kernel. <br><br>Sent from my iPhone</div><div><br>On Jul 30, 2013, at 1:30 PM, Jim Kinney <<a href="mailto:jim.kinney@gmail.com">jim.kinney@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr"><div><div><div>set account to be "disabled" by having password field in /etc/shadow to '!!'. The shell can be what ever is needed to start service. If the service needs no shell, set it to /sbin/nologin.<br>
<br></div>eg.:<br><br># grep postgres /etc/passwd<br>postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash<br># grep postgres /etc/shadow<br>postgres:!!:15824::::::<br><br><br></div>No user named postgres can login BUT (only) root _can_ su - postgres since there is a shell.<br>
<br></div>These accounts can't be su'ed to :<br># grep nologin /etc/passwd<br>bin:x:1:1:bin:/bin:/sbin/nologin<br>daemon:x:2:2:daemon:/sbin:/sbin/nologin<br>adm:x:3:4:adm:/var/adm:/sbin/nologin<br>lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin<br>
<br># su - bin<br>This account is currently not available.<br># su - lp<br>This account is currently not available.<br><br><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jul 30, 2013 at 12:28 PM, leam hall <span dir="ltr"><<a href="mailto:leamhall@gmail.com" target="_blank">leamhall@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Is there a good security practice for service accounts? The goal is that an app can run as "myapp" but no one can login as myapp and myapp's password does not expire. <br>
<br></div>So far best practice seems to be having a regular shell and no password, with specific people/groups allowed to sudo over. <br clear="all">
<div><div><br></div><div>Thoughts?<span class="HOEnZb"><font color="#888888"><br><br></font></span></div><span class="HOEnZb"><font color="#888888"><div>Leam<br><br></div><div>-- <br><div><a href="http://leamhall.blogspot.com/" target="_blank">Mind on a Mission</a></div>
</div></font></span></div></div>
<br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>-- <br>James P. Kinney III<br><i><i><i><i><br></i></i></i>Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.<br>
- Speech 11/23/1900 Mark Twain<br><i><i><i><i><br><a href="http://electjimkinney.org" target="_blank">http://electjimkinney.org</a><br><a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a><br>
</i></i></i>
</i></i></div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Ale mailing list</span><br><span><a href="mailto:Ale@ale.org">Ale@ale.org</a></span><br><span><a href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a></span><br><span>See JOBS, ANNOUNCE and SCHOOLS lists at</span><br><span><a href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a></span><br></div></blockquote></body></html>