Interestingly enough, on my Ubuntu derivative with nginx installed with apt
, the www-data
user has a shell:
$ cat /etc/passwd
www-data:x:33:33:www-data:/var/www:/bin/sh
Shouldn't this be set to something like /bin/false
? Even though the user can't log in, isn't it dangerous to provide a shell for a system user like this by default?
Well
/bin/false
(or/bin/true
if you're a positive person) is a real shell - it's just not an interactive shell :-) There's also/sbin/nologin
on some systems which serves the same purpose.As to whether your Apache user needs an interactive shell (something like
bash
), the answer as others have said is "Usually, no."Setting the Apache user's shell to something non-interactive is generally good security practice (really all service users who don't have to log in interactively should have their shell set to something that's non-interactive).
Tour an existing environment like yours, try it, and see if anything breaks.
If nothing breaks use the non-interactive shell from now on.
If stuff breaks try to fix it without restoring the interactive shell :-)