When looking into /etc/passwd
and /etc/shadow
I found many non human users. I read a bit about it and know what they do (as a group, though specifically I see many I have no clue about). All of them (excluding root (locked pwd) and my human user account) have never established passwords (*'s).
Are there any tests or things I can or should do to ensure these are not leaks and we can trust them.
The existence of a user account in itself does not mean that user has any privileges, whether it's a "system" user or a regular user. If you went ahead and created a new system account it would be able to do nothing - it would have the same privileges as
nobody
(indeed, most system accounts are created for the purpose of giving something as few privileges as possible). Only someone with the privileges to do so (ie, superuser) can give another user privileges, by modifying ownership or permissions in the filesystem.The onwership and permissions throughout a complete Linux installation are so complex that you can't describe exactly what they all should be in a single post. If you suspect that your system has been compromised, you'd have to tailor your treatment based on exactly what the situation is. If you have no reason to suspect this is the case then it would be impractical to audit everything in your system to ensure nothing has more permissions than it should.
Another note: system accounts generally don't have a password because you don't ever need to log in to them. When an account lacks a password in
.passwd
, it doesn't mean you can log in with no password, it means you can't log in to that account at all. The account can only be used when a privileged process spawns or switches itself to using that account.