Topics, top. HomezopeWeb (2.0)Plonelovely
Postings, top. The Ajax Experience: we'll be thereLovely, goodbye and thanks for all th...a-z.ch - search and find in the heart...www.meinBerlin.de - RebrushedSpeed matters.
Authors, top. jodokbreidenbrueckerreutzfriessneggerschwendinger
Archives, recent. August ’08 July ’08 June ’08 May ’08 February ’08
« Howto use Tiny MCE in Zope3
Selenium tests in zope3 »

Ubuntu Server insecurity?

i just found out that my Ubuntu Server 6.10 has login shells for almost all users set in the /etc/passwd file!

That’s a very bad idea because this maybe enabled someone to install “Data Cha0s Back Backdoor” on my machine :-(

I checked this with 2 other fresh Ubuntu Server 6.10 installations and both had the login shells for users like daemon, mail, www-data and so on. Especially www-data should not have a chance to create a shell in my opinion!

So i changed /bin/sh to /usr/sbin/nologin and hope this makes it a bit more secure.

From reutz (22) posted on February 19, 2007 in sysadmin | Meet reutz on Google Talk
There are 2 comments on this posting. Need a permalink?

2 Responses to “Ubuntu Server insecurity?”

  1. Eric Poscher says on April 3rd, 2007 at 12:06 pm

    Hallo Wolfi,
    Prinzipiell stimme ich dir zu. statt Allerdings ist das auch in einer standard debian testing installation der Fall, wo lediglich “mysql” und “Debian-exim” auf /bin/false gesetzt sind. und letzlich hängt’s ja noch davon ab ob in /etc/shadow ein passwort gesetzt ist. l.g. eric

  2. shadowman says on April 29th, 2007 at 4:54 am

    Hi! How r u?
    nice site!

Leave a Reply