How can I check whether a user has login permissions on Ubuntu?
Solution 1
passwd -l www-data
Solution 2
The information you want is in the /etc/passwd
file (which is world readable - the hashes of passwords are actually kept in /etc/shadow
. So you can
$ grep www-data /etc/passwd
which should produce something along the lines of
www-data:x:111:112::/home/www-data:/bin/false
(I don't have apache installed, so the details are probably different). The important detail is the part after the last :
which is the login shell. In this case it is /bin/false
, which means you can't login as that user. If you look at the line corresponding to your username, you will see it is /bin/bash
thus allowing you to login.
If www-data has a valid login shell then just go and edit /etc/passwd
and change the login shell to /bin/false
.
Related videos on Youtube
morpheous
Updated on September 17, 2022Comments
-
morpheous almost 2 years
I want to make sure that the user www-data cannot be used to login on my system (Ubuntu Lucid). How can I find out? - is there a command I can run against this user? (traditionally run by Apache daemon)
-
Daenyth almost 14 yearsAnd use
vipw
to edit the file so you don't mess it up! -
Dennis Williamson almost 14 yearsFrom
man passwd
: "Note that this does not disable the account. The user may still be able to login using another authentication token (e.g. an SSH key). To disable the account, administrators should use usermod --expiredate 1 (this set the account´s expire date to Jan 2, 1970)." -
Ignacio Vazquez-Abrams almost 14 yearsWon't work if the authdb is in e.g. LDAP.
-
Daenyth almost 14 yearsIt's effectively disabled since he'd have to add a key to log in with it
-
morpheous almost 14 yearsHold on, when you talk about the account being 'disabled' - do you mean that Apache can no longer run as the user 'www-data'? (thats not what I want). I want Apache to continue running as the user www-data, but I dont want anyone to be able to log into the system using www-data as a username. I have seen attempts in my log of users trying a brute force attempt to hack into my server using the username www-data - that is what prompted this question.
-
Daenyth almost 14 yearsBy disabled I mean to say that login is disabled.