10

Someone tried to hack my root user. It was interesting to me to find all users in my system. I don't remember I create any of them. Can hacker use any of other default users to enter the system (with default Linux system settings)? I can't login with any of them to check because I don't know their passwords.

I run command to get all users: cat /etc/passwd:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
systemd-coredump:x:999:997:systemd Core Dumper:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
tss:x:59:59:Account used for TPM access:/dev/null:/sbin/nologin
polkitd:x:998:996:User for polkitd:/:/sbin/nologin
unbound:x:997:994:Unbound DNS resolver:/etc/unbound:/sbin/nologin
sssd:x:996:993:User for sssd:/:/sbin/nologin
chrony:x:995:992::/var/lib/chrony:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
nginx:x:994:991:Nginx web server:/var/lib/nginx:/sbin/nologin
Egor
  • 211

2 Answers2

28

Yes, very secure.

All of these users are created by the software you installed it for. Those users often come with a systemd service specifically for that software.

Mind the /sbin/nologin at the end of some of the lines. That means NOBODY can use that user to login into a terminal session.

halt and shutdown are there so users can stop a system.

root has lock on the password (there will be a ! in /etc/shadow) set during install. It can be removed if need be but we generally do not. It is connected to your admin user.

Rinzwind
  • 299,756
  • In my system, root does not have any password. There is ! in the place of password hash in /etc/shadow. – raj Jun 29 '22 at 21:15
  • 3
    @raj Actually ! doesn’t ultimately mean “no password” … but, rather more appropriately, means that “the password is locked … please see man passwd under -l, --lock – Raffa Jun 30 '22 at 05:15
  • 1
    I believe I read somewhere it is a 128 random generated key and a lock on the password. – Rinzwind Jun 30 '22 at 08:04
  • @Raffa yes, I meant that by "no password". The account is locked, but it has no random-generated password that can be unlocked. If you lock an account with some password set, then you get !! followed by the password hash in /etc/shadow (so you can unlock the account by removing !!). In this case there's no password hash at all. – raj Jun 30 '22 at 11:48
  • @raj 'If you lock an account with some password set, then you get !! followed by the password hash" ... Not really(at least on Ubuntu 22.04 where I checked) ... sudo passwd -l user adds only one ! ... Check it yourself but AFAIK they are both the same ... Kindly, also see "It merely has been given a password hash which matches no possible value, therefore may not log in directly by itself." under Where is root? – Raffa Jun 30 '22 at 14:27
  • @Raffa: A curious decision because * is traditional. – Joshua Jul 01 '22 at 04:50
  • @Joshua curious indeed but novel nonetheless … imagine enabling the root’s password in this case be it intentionally or unintentionally … still the password hash will not match anything so login would still be impossible …. I guess “a password hash which matches no possible value” means the hash is broken/intentionally altered so no hashing algorithm can resolve/crack it … which adds another layer of security. – Raffa Jul 01 '22 at 05:27
  • A nitpick but root can log in to these accounts and get a terminal session. sudo -u daemon /bin/bash. If you're already root then you don't need the terminal session but occasionally it helps in diagnosing environment problems. – doneal24 Jul 01 '22 at 17:37
10

These users aren't "logins". They aren't intrinsically a way that someone can login to your computer. Instead, think of each as a set of permissions. Let's take lp as an example.

The service lp (printer service) requires permission to talk to the printers on your system, and requires write access to the folder that holds stuff waiting to be printed. This is because most users need to be able to send commands to the printer. If there were a bug in the printer service, a user on the system might be able to hijack it. By running this service as lp, a user who hijack's the printer service will only take control of the printer, not the whole machine. This is not good, since it would let them spy on what's being printed, but it's less catastrophic than them taking over the entire system.

As stated in Rinzwind's alsower, most of these users don't allow logins. You can only become these accounts by starting as a higher privileged account (usually root), and then downgrading your privileges As an example, the thing that starts the printer spooler might be root (full administrator) and chooses to downgrade the print spooler to the permissions of lp. This isn't a route a malicious user will take, because if a malicious user is already root, there's no point in downgrading their permissions.

This means those accounts are generally increasing the security. Or more accurately, your system is more secure than if those services were all running under a single account than had a lot more privileges.

guntbert
  • 13,134
Patrick M
  • 205