9

Someone tried to hack my root user. It was interesting to me to find all users in my system. I don't remember I create any of them. Can hacker use any of other default users to enter the system (with default Linux system settings)? I can't login with any of them to check because I don't know their passwords.

I run command to get all users: cat /etc/passwd:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
systemd-coredump:x:999:997:systemd Core Dumper:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
tss:x:59:59:Account used for TPM access:/dev/null:/sbin/nologin
polkitd:x:998:996:User for polkitd:/:/sbin/nologin
unbound:x:997:994:Unbound DNS resolver:/etc/unbound:/sbin/nologin
sssd:x:996:993:User for sssd:/:/sbin/nologin
chrony:x:995:992::/var/lib/chrony:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
nginx:x:994:991:Nginx web server:/var/lib/nginx:/sbin/nologin
4
  • 9
    root password is disabled in Ubuntu ;-) So it is impossible to login with that user unless you changed something at your own risk.
    – Pilot6
    Jun 29 at 18:47
  • 10
    None of the above listed users can actually login :-) … none as in impossible … except root if you change the default disabled status as says @Pilot6
    – Raffa
    Jun 29 at 18:52
  • 3
    Does this answer your question? Why such long list of users and groups in my system?
    – muru
    Jun 30 at 4:58
  • 1
    @muru no, I have another one
    – Egor
    Jun 30 at 9:39

2 Answers 2

27

Yes, very secure.

All of these users are created by the software you installed it for. Those users often come with a systemd service specifically for that software.

Mind the /sbin/nologin at the end of some of the lines. That means NOBODY can use that user to login into a terminal session.

halt and shutdown are there so users can stop a system.

root has lock on the password (there will be a ! in /etc/shadow) set during install. It can be removed if need be but we generally do not. It is connected to your admin user.

8
  • In my system, root does not have any password. There is ! in the place of password hash in /etc/shadow.
    – raj
    Jun 29 at 21:15
  • 3
    @raj Actually ! doesn’t ultimately mean “no password” … but, rather more appropriately, means that “the password is locked … please see man passwd under -l, --lock
    – Raffa
    Jun 30 at 5:15
  • 1
    I believe I read somewhere it is a 128 random generated key and a lock on the password.
    – Rinzwind
    Jun 30 at 8:04
  • @Raffa yes, I meant that by "no password". The account is locked, but it has no random-generated password that can be unlocked. If you lock an account with some password set, then you get !! followed by the password hash in /etc/shadow (so you can unlock the account by removing !!). In this case there's no password hash at all.
    – raj
    Jun 30 at 11:48
  • @raj 'If you lock an account with some password set, then you get !! followed by the password hash" ... Not really(at least on Ubuntu 22.04 where I checked) ... sudo passwd -l user adds only one ! ... Check it yourself but AFAIK they are both the same ... Kindly, also see "It merely has been given a password hash which matches no possible value, therefore may not log in directly by itself." under Where is root?
    – Raffa
    Jun 30 at 14:27
10

These users aren't "logins". They aren't intrinsically a way that someone can login to your computer. Instead, think of each as a set of permissions. Let's take lp as an example.

The service lp (printer service) requires permission to talk to the printers on your system, and requires write access to the folder that holds stuff waiting to be printed. This is because most users need to be able to send commands to the printer. If there were a bug in the printer service, a user on the system might be able to hijack it. By running this service as lp, a user who hijack's the printer service will only take control of the printer, not the whole machine. This is not good, since it would let them spy on what's being printed, but it's less catastrophic than them taking over the entire system.

As stated in Rinzwind's alsower, most of these users don't allow logins. You can only become these accounts by starting as a higher privileged account (usually root), and then downgrading your privileges As an example, the thing that starts the printer spooler might be root (full administrator) and chooses to downgrade the print spooler to the permissions of lp. This isn't a route a malicious user will take, because if a malicious user is already root, there's no point in downgrading their permissions.

This means those accounts are generally increasing the security. Or more accurately, your system is more secure than if those services were all running under a single account than had a lot more privileges.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Not the answer you're looking for? Browse other questions tagged or ask your own question.