ispconfig user shell question

Discussion in 'Installation/Configuration' started by monkfish, May 11, 2020.

  1. monkfish

    monkfish Member

    Hello,
    Can I ask please for the use case of having the ispconfig user having a shell login account?

    From /etc/passwd:
    ispconfig:x:<user>:<group>::/usr/local/ispconfig:/bin/bash

    What is the requirement for having a shell login, can it be redacted to a system account ie /sbin/nologin or similar
    There may of course be a requirement for, eg, clustering etc. I would simply like to understand if the default config can be redacted to suggest a more secure configuration and not expose the user account.
    Grateful for thoughts

    Kindest regards
    M
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  3. till

    till Super Moderator Staff Member ISPConfig Developer

    The ISPConfig user has a shell, but you can't login as user ispconfig.

    [email protected]:~# grep ispconfig /etc/passwd
    ispconfig:x:5003:5004::/usr/local/ispconfig:/bin/sh
    ro[email protected]:~# grep ispconfig /etc/shadow
    ispconfig:!:18075:0:99999:7:::

    But you can probably change the shell to e.g. /usr/sbin/nologin
     
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    This is from my host:
    Code:
    [email protected]:~# grep ispconfig /etc/passwd
    ispconfig:x:5003:5004::/usr/local/ispconfig:
    
     
  5. monkfish

    monkfish Member

    Hey both, thanks for the info
    Apologies for not clarifying OS and ispconfig version which for the record is CentOS 7.8.2003 x64 and ispconfig latest stable 3.1.15p3. I forget exactly which version was used for original install, that which was current stable at March 2019.

    Use case is a hardening eval which has highlighted the ispconfig user having a shell is a potential attack vector. I don't disagree, although other significant controls are in place .I will investigate changing to a null logon.

    Potentially suggests a null login to be configured as an installation default for the ispconfig user?

    Per above, thanks for info
    Thanks for ispconfig!
    M
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    I will check that.
     
  7. monkfish

    monkfish Member

    To confirm that setting a user shell of /sbin/nologin in /etc/passwd for ispconfig account gives no detrimental effect.
    Operations tested are on a single server no cluster but entire website and client api seem operational.

    Further question on directory permission, this is linked with original question of permissions/access:
    Home drive /usr/local/ispconfig, currently showing as 755 and ownership of ispconfig/ispconfig.
    Code:
    drwxr-xr-x. 5 ispconfig ispconfig   53 Jan 23  2019 ispconfig
    However inside folders show user/group permissions all with permisisons of 750:
    Code:
    drwxr-x---.  9 ispconfig ispconfig  106 Jan 23  2019 interface
    drwxr-x---.  3 root      ispconfig  223 Feb 23  2019 security
    drwxr-x---. 13 root      root      4096 Jan 23  2019 server
    
    Does this fit in with intended model, with my little brain I am struggliing to understand how the top-level folder has permissions of ispconfig/ispconfig yet lower level folder has greater permissions. Most probably my failure to understand permissions
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    It simply does not matter. Change it to 750 if you want but leaving it at 755 is fine as well, it makes no difference as there is nothing in that folder that changes and nothing that someone should not be able to see.
     
  9. monkfish

    monkfish Member

    I hear you till, thanks for that.
    Not gonna try and over-think it, will leave as-is. Thanks for considering the user creation shell.
    Kindest regards
    M
     

Share This Page