Hi. On Thu, Dec 10, 2020 at 11:46:02AM +0200, Andrei POPESCU wrote: > > Left alone, having unneeded users on a given machine could be a > > security threat, at least in the sense that it provides a greater than > > necessary attackable surface area. What can be done about that? > > Obviously one thing would be setting the shell to /dev/null in the > > password file of those machines that don't need a given user, to > > prevent interactive logins. What else could be done? Is there a way to > > put an account "beyond use", in any way including su, sudo etc, while > > still having the machine recognise the user for being a user and > > therefore not messing up the mapping of user IDs on shared resources > > like NFS? In other words, create the sense of "yes this user exists, > > but they are not welcome here"? > > passwd -l/--lock <username>
sudo -u <locked_user> /bin/bash -i That little trick defeats "locked" account status, an absence of a password and even /usr/sbin/nologin set as a default shell. Reco