Usernames in /etc/passwd - linux-kernel

I'm new to linux operating system and I've explored today the /etc/passwd file and to my surprise I found that it contains many other user names like proxy,daemon..etc.What are all these users?Can I login using these users?
Here the cat command i performed on /etc/passwd.
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
usbmux:x:103:46:usbmux daemon,,,:/home/usbmux:/bin/false
dnsmasq:x:104:65534:dnsmasq,,,:/var/lib/misc:/bin/false
avahi-autoipd:x:105:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
kernoops:x:106:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
rtkit:x:107:114:RealtimeKit,,,:/proc:/bin/false
saned:x:108:115::/home/saned:/bin/false
whoopsie:x:109:116::/nonexistent:/bin/false
speech-dispatcher:x:110:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
avahi:x:111:117:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
lightdm:x:112:118:Light Display Manager:/var/lib/lightdm:/bin/false
colord:x:113:121:colord colour management
daemon,,,:/var/lib/colord:/bin/false
hplip:x:114:7:HPLIP system user,,,:/var/run/hplip:/bin/false
pulse:x:115:122:PulseAudio daemon,,,:/var/run/pulse:/bin/false
brucewilson:x:1000:1000:brucewilson,,,:/home/brucewilson:/bin/bash
mysql:x:116:125:MySQL Server,,,:/nonexistent:/bin/false
bharghav:x:1001:1001:bharghav,,,:/home/bharghav:/bin/bash
sshd:x:117:65534::/var/run/sshd:/usr/sbin/nologin
statd:x:118:65534::/var/lib/nfs:/bin/false
snmp:x:119:126::/var/lib/snmp:/bin/false
guest-MSvo95:x:120:127:Guest,,,:/tmp/guest-MSvo95:/bin/bash
Can anyone please explain what are these?

Most of those users are required by the OS processes to work. You can't login as one of those users because:
a. They don't have a shell as regular users does. For example, brucewilson has /bin/bash as shell, but pulse (Audio Controller ) has /bin/false.
b. There are not passwords for those users, so when the system asks for a password, no matter what you type you will never get in. You can check who has a password in /etc/shadow.

Actually, you can login as any user listed in /etc/passwd as of your choice.
for example, if you want to login as proxy, type the following command:
sudo -u proxy /bin/bash
It will asks password to authenticate the access, you can give your password only if your user account is added in sudoers list.
You can use the same command to login as any user in the /etc/passwd file.
For example, again if you want to log in as daemon, type the following command:
sudo -u daemon /bin/bash
and so on...
Hope this will help you.

Related

Check if current user is different than the default user in bash script

I want to check if I am using elevated user rights, like running su another_user and seeing my original user name / id.
All I found when researching that topic is either hardcode my own username somewhere, or examples for root user only (id=0).
I think zsh has a variable for that: $DEFAULT_USER, but it's not working in bash.

Disable sudo password for specific user login

I have a bash script that executes some PostgreSQL as
sudo -i -u postgres psql <<EOF > /dev/null
--SQL CODE
EOF
The sudo asks me for a password for the current user and I'd like to disable that. I don't want to provide a password inside the script through sudo -S. I know I can disable the password for sudo using visudo, however I need to specify the command for which to disable it (I don't want to disable it globally). How do I disable the sudo password for sudo -i -u postgres ?
You probably like a line in the sudoers file as follows:
script_user ALL = (postgres) NOPASSWD: /usr/bin/psql
The individual items in the line are as follows:
script_user: the (standard) user which uses the bash script (i.e., your user account)
ALL: special variable, here at the position where it indicates all hosts. You could try and limit this to e.g. localhost if you want
(postgres): user to run the command(s) as. That is, the user specified by the -u option
NOPASSWD: special variable indicating that the following command does not require a password (for this combination of user, sudo user and host, of course)
/usr/bin/psql: the specific command allowed. This could also be a comma-separated lists of commands, or ALL. (Obviously the path may be different on your machine.)
Related questions and answers on StackOverflow are a bit scattered and don't appear to fully answer your specific question, but I've come across an overall nice write-up on this topic by Abhijit Menon-Sen, which I found clearer to read than the various man pages on sudo & friends.

securely passing password through bash

I am building a bash script for my work to make initial setup and windows-domain join for our Ubuntu machines easy enough for someone who knows nothing about Linux can do it. I have found a lot of people that say that you shouldn't pass passwords through a script but to be efficient, I have to. The script prompts for info and credentials in the beginning and it needs to be able to be left to do it's job without interaction. I can't have it visible through ps when I pass it and I can't have it stored as an unsecured variable. Any suggestions?
If you really must do this, you can read the credentials into variables with read -s early in the script and then pass those values to the prompts. For example:
read -p "Enter your username: " username
read -sp "Enter your password: " password
echo
I included the blank echo because the -s option for read prevents the user's typing from appearing in the terminal, including the new line usually created after a user presses Enter when answering a prompt.
You can then use the $username and $password variables for the rest of your script and the credentials will not have to be stored outside of memory, meaning they will be lost/destroyed after the script completes.
However, note that any programs or utilities which take the credentials as command-line arguments will display those to other users on the machine running the script. For example, if I were to run a MySQL query using this method, I could do:
mysql -u "${username}" -p"${password}" -e "SHOW DATABASES;"
Other users on the machine could see the credentials while that was running with something like ps:
ps -ef | grep mysql
...
watrudoin 29512 29443 0 12:57 pts/4 00:00:00 mysql -u MyUserName -phunter2 -e SHOW DATABASES
You just need to be aware that what you are doing is not necessarily secure, but it seems that you already are.

how can i switch user in shell script by using sudo and password

I'm working on a script in which I need to change the user, i have sudo access, i tried something like below but without success.
echo $passwd | sudo -S su - oracle
I even tried installed ssshpass but no success with that either. Is that even possible or do I need to install something else to make this work?
Any idea
If you will run your script with root account, you can just
message="The cake is a lie"
su username -c 'echo $message'
If you will run your script with another user you have two ways to do that,
1) Configuring pam like bellow so when you run su user2 -c 'command' logged with user1, linux will not ask for password.
Add the following lines right below the pam_rootok.so line in your /etc/pam.d/su:
auth [success=ignore default=1] pam_succeed_if.so user = user2
auth sufficient pam_succeed_if.so use_uid user = user1
The first line makes sure the target user is user2. If it is, the next line will take control and succeed authorization if the calling user is user1.
If the target user is something else, the second line will be ignored and the usual authentication steps will be performed.
2) Write your script using expect as here

Forcing usermod with running program

I've been looking for a way to force usermod to modify the password/group/... files despite the user being in use.
What I do get now is this:
!! Failed to execute 'usermod --home '...' --password '...' --shell '/bin/false' 'zabbix' 2>&1':
usermod: user zabbix is currently used by process 518
I know that for being secure I need to restart the service. But this is done within a setup script. I am restarting all services at the end.
Is there any way to say --force? (well, except for modifying all necessary files.)
Thanks
If you can get root rights via sudo and are confident enough to change system files using vi then I would change the files manually.
Only a few things need to be changed in
- /etc/passwd
here you could change UID, GID, Homedirectory, Shell ...
- /etc/group
here you might need to change UID/GID as well for the username if there was a change
The File /etc/shadow will be changed automatically when using passwd to set a new password. This you can directly perform if you are root: "passwd username"
You can run usermod in a separate user namespace (with a recent enough linux), but you need to map the root user to root (otherwise you won't have permissions to modify /etc/passwd).
I.e. something like this:
unshare --user --map-root-user usermod ...
Now usermod won't find the processes running with the uid of user you are modifying.
You probably won't be able to modify the root user itself with this.

Resources