3
2
I want to make sure that the user www-data cannot be used to login on my system (Ubuntu Lucid). How can I find out? - is there a command I can run against this user? (traditionally run by Apache daemon)
morpheous
Posted 2010-07-12T16:56:50.977
Reputation: 3 533
2
passwd -l www-data
Daenyth
Posted 2010-07-12T16:56:50.977
Reputation: 5 742
8
The information you want is in the /etc/passwd file (which is world readable - the hashes of passwords are actually kept in /etc/shadow. So you can
$ grep www-data /etc/passwd
which should produce something along the lines of
www-data:x:111:112::/home/www-data:/bin/false
(I don't have apache installed, so the details are probably different). The important detail is the part after the last : which is the login shell. In this case it is /bin/false, which means you can't login as that user. If you look at the line corresponding to your username, you will see it is /bin/bash thus allowing you to login.
If www-data has a valid login shell then just go and edit /etc/passwd and change the login shell to /bin/false.
Hamish Downer
Posted 2010-07-12T16:56:50.977
Reputation: 3 064
3And use vipw to edit the file so you don't mess it up! – Daenyth – 2010-07-12T20:39:24.973
1Won't work if the authdb is in e.g. LDAP. – Ignacio Vazquez-Abrams – 2010-07-12T21:09:12.183
2From
man passwd: "Note that this does not disable the account. The user may still be able to login using another authentication token (e.g. an SSH key). To disable the account, administrators should use usermod --expiredate 1 (this set the account´s expire date to Jan 2, 1970)." – Paused until further notice. – 2010-07-12T20:51:20.907It's effectively disabled since he'd have to add a key to log in with it – Daenyth – 2010-07-13T03:32:50.917
1Hold on, when you talk about the account being 'disabled' - do you mean that Apache can no longer run as the user 'www-data'? (thats not what I want). I want Apache to continue running as the user www-data, but I dont want anyone to be able to log into the system using www-data as a username. I have seen attempts in my log of users trying a brute force attempt to hack into my server using the username www-data - that is what prompted this question. – morpheous – 2010-07-13T14:46:00.047
2By disabled I mean to say that login is disabled. – Daenyth – 2010-07-13T21:26:53.153