我要评分
获取效率
正确性
完整性
易理解

Disable Login for Non-Login Accounts

Linux systems typically contain multiple accounts, not all of which require login privileges. For instance, accounts automatically created during the installation of software like systemd and dhcp exist solely to run specific service processes. Login access must be disabled for the non-login accounts. Allowing them login access expands the system's attack surface, as attackers could exploit these accounts to execute interactive Bash operations and compromise the system.

  • sync, shutdown, and halt are special accounts whose shells normally should not be set to /sbin/nologin or /bin/false. Instead, their password fields are set to * in the /etc/shadow file, which prevents direct login.
  • By default, openEuler ensures that non-login accounts do not possess login capabilities.
  1. Check whether all non-login accounts have been set to /sbin/nologin or /bin/false, or whether their corresponding passwords have been locked.
    • To view all login-disabled accounts in the /etc/passwd file and verify the output against your actual service scenarios, run the following command:
      cat /etc/passwd | grep "\/sbin\/nologin\|\/bin\/false" | awk -F ":" '{print $1}'
    • To view all login-enabled accounts in the /etc/passwd file and verify the output against your actual service scenarios, run the following command:
      cat /etc/passwd | grep -v "\/sbin\/nologin\|\/bin\/false" | awk -F ":" '{print $1}'
    • To view all password-locked accounts in the /etc/passwd file and verify the output against your actual service scenarios, run the following command:
      cat /etc/passwd | awk -F ":" '{print $1}' | xargs -I '{}' passwd -S '{}' | awk '($2=="L" || $2=="LK") {print $1}'
    • To view all accounts whose passwords are not locked in the /etc/passwd file and verify the output against your actual service scenarios, run the following command:
      cat /etc/passwd | awk -F ":" '{print $1}' | xargs -I '{}' passwd -S '{}' | awk '($2!="L" && $2!="LK") {print $1}'
  2. The following two methods are supported for locking and unlocking user accounts.
    • (Recommended) Method 1: Modify the /etc/passwd file using the usermod command. Set the login shell of a specific account to /sbin/nologin or /bin/false. This method blocks user login and also prevents switching to this account via the su command (using the test user as an example):
      • Lock:
        usermod -s /sbin/nologin test

        or

        usermod -s /bin/false test
      • Unlock:
        usermod -s /bin/bash test
    • Method 2: Modify the /etc/shadow file. Lock the password by inserting exclamation marks (!) or (!!) into the second field of the specified account. The following uses the test user as an example. If the user does not have a password set, this operation will fail.
      • Lock:
        usermod -L test
        or
        passwd -l test
      • Unlock:
        usermod -U test
        or
        passwd -u test

    Passwords locked using usermod can be unlocked using passwd, and vice versa.

  3. After locking or unlocking the password, verify the account status by running the following command.
    passwd -S test
    • If the following information (LK) is displayed, the password is locked.
      test LK 2022-01-01 0 30 10 35 (Password locked.)
    • If the following information (NP) is displayed, no password is set.
      test NP 2020-12-03 0 50 10 35 (Empty password.)
    • If the following information (PS) is displayed, the password is set and is not locked.
      test PS 2022-01-01 0 30 10 35 (Password set, SHA512 crypt.)