on a Linux system there are lot's of users by default: daemon, bin, sys, games, etc.
According to my /etc/passwd most of these users have a shell assigned (/bin/sh) which seems some kind of insecure to me. My naive thinking would say: Only give those users a shell that may login to the server.
Is my thinking wrong?
If not completely wrong: Can I disable the shell for "daemon" and "www-data" without having side effects (e.g. the system wont start or the Apache PHP cannot excute system calls)?
Added: My distribution is a Debian Squeeze.
Thanks for your hints!
I am curious what Linux distribution you are seeing this in, because most distributions that I know of (and I just verified this on CentOS and Gentoo) have the shell for such users "disabled" as you are describing.
So, yes, it is safe to set the shell to
/bin/falseor/sbin/nologin. But maybe first figure out why they are not set to that value in the first place. Maybe this is something specific for the system that you are looking at.For Debian (as I see mentioned in the first comment) there is this other question that might be relevant. You can see that other people, too, consider this a bug (bug 274229, bug 581899, bug 330882)
Those users that you have asked about are not for direct login but for running a program/process under them, if at all. I would imagine that assigning no shell to them will harm anyway. But one good check is to check the /etc/shadow file and see whether the second field is X (crossed out) for those accounts. Meaning they wouldn't be able to login and get a shell.
So, my advice would be to check the /etc/shadow file first and then if you wish, go ahead and disable the shell for those users and just let the system run as usual and see whether anything breaks. If none, then you are good to go. If something breaks and you find out it is indeed for changing the shell to /bin/false (which I highly doubt would happen) then revert to original. At that time, we will require to think of further security plugins :)