Does www-data user need a real shell?

security user-accounts

Interestingly enough, on my Ubuntu derivative with nginx installed with apt, the www-data user has a shell:

$ cat /etc/passwd
www-data:x:33:33:www-data:/var/www:/bin/sh

Shouldn't this be set to something like /bin/false? Even though the user can't log in, isn't it dangerous to provide a shell for a system user like this by default?


Solution 1:

Well /bin/false (or /bin/true if you're a positive person) is a real shell - it's just not an interactive shell :-) There's also /sbin/nologin on some systems which serves the same purpose.

As to whether your Apache user needs an interactive shell (something like bash), the answer as others have said is "Usually, no."
Setting the Apache user's shell to something non-interactive is generally good security practice (really all service users who don't have to log in interactively should have their shell set to something that's non-interactive).

Tour an existing environment like yours, try it, and see if anything breaks.
If nothing breaks use the non-interactive shell from now on.
If stuff breaks try to fix it without restoring the interactive shell :-)

Related

Revert GPO Settings to Undefined
How to scale up a web server supporting long polling
Why doesn't VMWare DRS automatically migrate VMs when a host is put in maintenance mode?
What is the difference between the two DFS Replication Group Types?
linux OOM-kill why?
Netbooting ALL types of OSes
Importance of disk alignment for Windows Server 2012
Custom routes with defineRoutes
Parse each line with multiple string values in a file using shell script
Unexpected collision with std::hash
How does httpOnly prevent from malicious package to steal the content in it?
Can't access view in holder