102

An error occurs when I try to make SSH connection:

$ ssh -p 22 www-data@x.x.x.x 
This account is currently not available
muru
  • 197,895
  • 55
  • 485
  • 740
Mert Özoğul
  • 1,155
  • 2
  • 8
  • 12

3 Answers3

158

While I agree with the others that allowing login through SSH through the www-data user is generally a bad idea, once you've logged in with a normal user it may be useful to run multiple commands concurrently with the permissions set of the www-data user. In that case, one can run

sudo su -l www-data -s /bin/bash

and you will be able to access your files as the www-data user.

D. Scott Boggs
  • 1,681
  • 8
    Very useful for debugging permissions for a daemon/service user – jmng Feb 14 '19 at 14:06
  • 2
    you just saved my day thanks! I had trouble getting perl-fcgi service started because the startup script was not using -s /bin/bash – Couitchy Jun 04 '19 at 13:20
  • maybe it has a siple way to make git pull without su - www-data? and generate rsa key for www-data user – Vasilii Suricov Nov 24 '19 at 19:55
  • 1
    Very useful to check the crontab of the www-data, who can contain code inserted by bots if your website is not totally secure (in my case Laravel debug mode vulnerability). – user1097111 Jun 25 '21 at 16:17
92

You're getting the This account is currently not available. error because the shell for the user www-data is set to /usr/sbin/nologin, and it's set for a very good reason. You should not log in as www-data, it's a special user/group used by the web server, not intended for regular shell use.

EDIT: It is an especially bad idea to give sudo rights to www-data. If Apache was intended to run with root permissions, it wouldn't have it's own group. By doing this, you are creating huge security holes. You have been warned.

kraxor
  • 5,527
  • 8
    That's not very constructive. What information do you think I should add to make this answer better? – kraxor Oct 13 '15 at 10:17
  • 5
    @kraxor is correct but if you must you can login as root and change /usr/sbin/nologin in /etc/passwd to /bin/bash and it'll grant that user shell access. I do this when just running a snap binary as my webserver. www-data is generally reserved for nginx/apache on ubuntu hence the no login status. – engineerDave Oct 13 '15 at 22:19
  • 4
    @RyanNerd It's your choice not to "give a rat's a$$ about security crap". Running everything as root is not recommended even inside Docker. You could of course configure Apache to run as root, or add a login shell to www-data, but that's like opening a bottle of wine by breaking the bottle because you're too lazy and careless to use a cork-screw. – kraxor Mar 23 '16 at 13:08
  • @kraxor your link to docker is out of date. EVERYTHING is still owned by root in Docker and it is still a problem. – RyanNerd Mar 24 '16 at 21:06
  • I have a similar case. I want to run LibreOffice in headless mode in a way that it can be called by a PHP script to convert documents and that it can write files to disk as www-data because these files later need to be deleted by www-data (part of a PHP script) to clean them up.

    This (launching an headless LibreOffice as user www-data) used to work in previous versions of Ubuntu, and I understand that this is a security improvement over these earlier versions.

     – ywarnier Jul 21 '16 at 23:05
  • I solved it like this:
    • I create a new user,
    • add it to the group www-data and launch the LibreOffice instance with this user,
    • then set the permissions for the base directory through PHP (I had to use umask(0) in PHP to avoid a tricky umask that always reduced my folder access to 0755 which prevented the new user to create a file there),
    • call the conversion process,
    • then treat the file with PHP
    • and finally delete the directory

    This is working fine as a replacement to the previous launching as www-data.

     – ywarnier Jul 21 '16 at 23:07
  • If you set /bin/sh for www-data user then exploited the security right ? – Nullpointer Jun 21 '17 at 12:19
  • most likely there is a www-data group as well. Create a user and add them to that www-date group. Then everything is chown by www-data:www-data and you can log in as your newly created user and have the group permission. – Craig Gjerdingen Feb 04 '21 at 04:03
-2

The first question I would have to ask is, what are you trying to accomplish by doing this?

kraxor is 100% correct you should never be able to ssh into your server using your Apache/Nginx user. Doing so invites every hacker with half a brain cell into your server.

If you need to run a script or some program as that user you could try sudo -u www-data yourscript or you could temporally chown on the file to a user with login privileges. It's just a vary bad idea to allow this account that kind of access.

LovesTha
  • 504
  • 5
  • 14
TheStarvingGeek
  • 109
  • 4