In Linux and Unix, the processes and services run under different users.
The processes may have a user created specifically for them, and, if they do not, they will run under a user called nobody. E.g. sshd is the user running the ssh deamon.
$ < /etc/passwd grep sshd
sshd:x:114:65534::/var/run/sshd:/usr/sbin/nologin
The nobody-owned processes are able to send signals to each others and even ptrace each other in Linux, meaning that a nobody-owned process can read and write the memory of another nobody-owned process.
The nobody user and group do not have any entry in the /etc/sudoers file so, in Linux and Unix, the user nobody does not have any root priviledges.
This is the sample line matching ‘nobody’ in the /etc/passwd file:
$ < /etc/passwd grep nobody
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
As you may notice, the nobody user has /bin/sh as an login shell and /nonexistent as homedir (as the name suggests, the /nonexistent directory does not exist, by default).
If you are paranoid, you can set nobody’s default shell as /usr/sbin/nologin and so, deny the ssh login for the nobody user. The nologin shell for Fedora is /sbin/nologin.
On Debian:
$ sudo chsh -s /usr/sbin/nologin nobody
On Fedora:
$ sudo chsh -s /sbin/nologin nobody
Find and delete the files and folders owned by nobody:
Display the files and folders owned by nobody:
$ find /path/to/dir -user nobody -print
Delete the files and folders owned by nobody:
$ find /path/to/dir -user nobody -exec rm -rf {} +
Related Posts
Yeah another security screw up in the past of linux, and linux is loaded with them….