Hello, Can I ask please for the use case of having the ispconfig user having a shell login account? From /etc/passwd: ispconfig:x:<user>:<group>::/usr/local/ispconfig:/bin/bash What is the requirement for having a shell login, can it be redacted to a system account ie /sbin/nologin or similar There may of course be a requirement for, eg, clustering etc. I would simply like to understand if the default config can be redacted to suggest a more secure configuration and not expose the user account. Grateful for thoughts Kindest regards M
https://www.howtoforge.com/community/threads/please-read-before-posting.58408/ On my ISPConfig 3 setup, the ISPConfig user in /etc/passwd does not have shell.
The ISPConfig user has a shell, but you can't login as user ispconfig. root@server1:~# grep ispconfig /etc/passwd ispconfig:x:5003:5004::/usr/local/ispconfig:/bin/sh root@server1:~# grep ispconfig /etc/shadow ispconfig:!:18075:0:99999:7::: But you can probably change the shell to e.g. /usr/sbin/nologin
This is from my host: Code: root@myhost:~# grep ispconfig /etc/passwd ispconfig:x:5003:5004::/usr/local/ispconfig:
Hey both, thanks for the info Apologies for not clarifying OS and ispconfig version which for the record is CentOS 7.8.2003 x64 and ispconfig latest stable 3.1.15p3. I forget exactly which version was used for original install, that which was current stable at March 2019. Use case is a hardening eval which has highlighted the ispconfig user having a shell is a potential attack vector. I don't disagree, although other significant controls are in place .I will investigate changing to a null logon. Potentially suggests a null login to be configured as an installation default for the ispconfig user? Per above, thanks for info Thanks for ispconfig! M
To confirm that setting a user shell of /sbin/nologin in /etc/passwd for ispconfig account gives no detrimental effect. Operations tested are on a single server no cluster but entire website and client api seem operational. Further question on directory permission, this is linked with original question of permissions/access: Home drive /usr/local/ispconfig, currently showing as 755 and ownership of ispconfig/ispconfig. Code: drwxr-xr-x. 5 ispconfig ispconfig 53 Jan 23 2019 ispconfig However inside folders show user/group permissions all with permisisons of 750: Code: drwxr-x---. 9 ispconfig ispconfig 106 Jan 23 2019 interface drwxr-x---. 3 root ispconfig 223 Feb 23 2019 security drwxr-x---. 13 root root 4096 Jan 23 2019 server Does this fit in with intended model, with my little brain I am struggliing to understand how the top-level folder has permissions of ispconfig/ispconfig yet lower level folder has greater permissions. Most probably my failure to understand permissions
It simply does not matter. Change it to 750 if you want but leaving it at 755 is fine as well, it makes no difference as there is nothing in that folder that changes and nothing that someone should not be able to see.
I hear you till, thanks for that. Not gonna try and over-think it, will leave as-is. Thanks for considering the user creation shell. Kindest regards M
