aijarot
Does anyone know what this means? "successful su for nobody by root" "+ ??? root:nobody" "(pam_unix) session opened for user nobody by (uid=0)"
kav
I found a lot of these in my /var/log/auth.log
Dec 18 06:25:03 localhost su[3224]: Successful su for nobody by root
Dec 18 06:25:03 localhost su[3224]: + ??? root:nobody
Dec 18 06:25:03 localhost su[3224]: (pam_unix) session opened for user nobody by (uid=0)
Dec 18 06:25:03 localhost su[3224]: (pam_unix) session closed for user nobody
What does a su for nobody by root mean?
I mean I have plenty of succesfull su for root by (user), but what on earth is so for nobody by root?
I found this 'nobody' in my /etc/passwd file too. Is it used by a program or has my box been compromised like a chump?
redazz
nobody is a system user that is used to run services e.g. apache and samba on Linux distros. Root has to start the service and then pass on control to the user "nobody".
int0x80
As a precautionary measure, I set the shell to /dev/null
Code:
int0x80:~$ grep nobody /etc/passwd
nobody:x:65534:65534:nobody:/nonexistent:/dev/null
Don't forget to add /dev/null as a shell
Code:
echo "/dev/null" >> /etc/shells
redazz
Most distros set the shell for nobody to /bin/false which is similar to your suggestion.
int0x80
It should also be noted that there is a difference between having the shell as /bin/false or /bin/nologin and having the shell as /dev/null. For example, set each of those as the shell for a test user, then attempt to login through SSH on each one. With a shell of /dev/null, an attacker could not be certain whether the attempted user exists on the system -- not the case where /bin/false or /bin/nologin is the shell.
kay
Yes, /dev/null seems to be just a little bit better just for that reason.
techemically
I get this when trying to run this command: desktop:~$ grep nobody /etc/passwd
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
this "nobody" just popped up one day under my normal profile name and i cannot set it to /dev/null. I get permission denied.
jomen
In light of these option-hints I think the command would have to be:
chsh -s /dev/null nobody or chsh --shell/dev/null nobody
see:
http://www.debian.org/doc/manuals/system-administrator/ch-sysadmin-users.html
http://www.debianhelp.co.uk/usersid.htm
No comments:
Post a Comment