10

I'm messing around with Tiger security audits on my CentOS box, ensuring the server is fit for being online, well as close as it can get anyway.

I noticed a warning about the user nobody having / as a home directory. I just can't figure out which directory it should "live in" so to speak. So where shall I put this fella? And how about ncsd now we're at it?

I guess the questions really are: What is nobody and ncsd for? Which security risk does it impose for those users to have root set as their home directory? In an optimal environment, where would their home directories be?

Steen Schütt
  • 3,562
  • 3
  • 15
  • 16
  • I think that generally each operating system or operating system distribution has its own pesudo-standard for what the home directories of various system users are. For example, on Debian it's `/nonexistent`. What is the home directory of the nobody user on a fresh install of the operating system you are using? – Celada May 08 '13 at 16:56
  • 1
    On my distro (Gentoo), it's `/var/empty`. And it does exist and contains files. Strange... – lgeorget May 08 '13 at 17:00
  • 1
    I doubt the distro creators intended for those logons to be usable. – Tim May 08 '13 at 17:08
  • 1
    On Crunchbang and Unbuntu it is `/nonexistent` and I think if you create a directory with that name you deserve yourself. – msw May 08 '13 at 17:26
  • Where are home directories listed? – Faheem Mitha May 08 '13 at 17:32
  • On my distro (Fedora 18) `nobody` has the home directory set to `/` and the *log in shell set to* `/bin/nologin`. In other words, it probably wouldn't matter what the home directory is set to if the user can't log in anyways. – BenjiWiebe May 08 '13 at 17:38
  • @FaheemMitha if you have a question, please make a new post, if it hasn't been answered yet. SE sites are not intended to be used as forums. You can see what is the homedir af a user in /etc/passwd – lgeorget May 08 '13 at 17:41
  • @lgeorget Thanks for the feedback, but it is too trivial a question to be worth posting. – Faheem Mitha May 08 '13 at 17:43
  • `/var/lib/nobody` in openSUSE – Hauke Laging May 10 '13 at 03:46
  • Well, those are VM images of CentOS and Debian both having the root there. I guess it should just own an empty directory to which it's chrooted? Would it make more sense to just set it to /dev/null? It already has the shell set to nologin :) – Steen Schütt May 10 '13 at 22:37
  • 1
    This particular "security check" is pointless, since even if you get a shell with a home directory in `/var/empty` or wherever, you can change directories up, and if you specify a nonexistent directory then your shell just gets thrown into `/` anyway. – Michael Hampton May 11 '13 at 15:48

1 Answers1

4

[EDIT]: I misunderstood the question. I will write a more appropriate answer here.

I do not know Tiger Security, but I agree that the user nobody is mean to have NO homedir, NO right over any subdir at all and is mean to really to have NO shell at all (and to do never properly do a 'login').

But the actual settings (in /etc/passwd) are different for different Linux distros and BSDs and *unix.

I checked using this command :

$ grep nobody /etc/passwd

on RedHat 5.2 (that is the same as a Centos), and I find :

nobody:x:99:99:Nobody:/:/sbin/nologin

so probably '/' this is the standard for RedHat/Centos.

I checked on Ubuntu 10.04 :

nobody:x:65534:65534:nobody:/nonexistent:/bin/sh

(and '/nonexistent' does not exist)

and on Mac OSX 10.4 Tiger (that is a BSD derivate) :

nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false

(and '/var/empty' exists and is empty)

My guess is that Tiger Security does not like the standard setting on RedHat/CentOS. You can probably safely ignore this warning or you can edit /etc/passwd setting nobody's home to an empty or non-existent directory in order to satisfy the Tiger Security test.

Steen Schütt
  • 3,562
  • 3
  • 15
  • 16
DavAlPi
  • 805
  • 6
  • 17
  • No, Tiger security: http://www.nongnu.org/tiger/ – Steen Schütt May 10 '13 at 22:35
  • @Time Sheep: ok, but on that kind of *nix are you getting this warning ? Different distros setup nobody user in different ways. The 'grep nobody /etc/passwd' will tell you how. I suggest you to edit you original question and specify you are talking about Tiger security. – DavAlPi May 11 '13 at 06:25
  • I did for a fact write I was looking at some Tiger Security audits in the original question, so there is no need to edit it. I'm working on CentOS. It doesn't really matter where it is, but I guess it's supposed to be somewhere safe, because as far as I know "nobody" is used as a user without privileges etc. – Steen Schütt May 11 '13 at 15:03
  • 1
    @Time Sheep: yes, my fault, I misundestand the question. I'll edit my answer. – DavAlPi May 13 '13 at 08:42