Disabling/Removing shells

Support for security such as Firewalls and securing linux
some_dude_
Posts: 6
Joined: 2020/08/12 05:33:19

Disabling/Removing shells

Post by some_dude_ » 2020/08/12 05:46:30

Is it possible to remove all shells and execute a certain process in a way that this is the only running as long as the system is running ?
I am thinking of starting this process through systemd

BShT
Posts: 327
Joined: 2019/10/09 12:31:40

Re: Disabling/Removing shells

Post by BShT » 2020/08/12 14:51:24

create a user without shell and run the process as this user/group

this is the default behavior of most services like apache, postfix...

if you dont want to create a new one run it as nobody:nogroup

BShT
Posts: 327
Joined: 2019/10/09 12:31:40

Re: Disabling/Removing shells

Post by BShT » 2020/08/12 14:54:07


User avatar
TrevorH
Forum Moderator
Posts: 29681
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Disabling/Removing shells

Post by TrevorH » 2020/08/12 15:19:32

Also, if you remove all shells then how will you ever connect to the machine to debug/fix problems?
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

some_dude_
Posts: 6
Joined: 2020/08/12 05:33:19

Re: Disabling/Removing shells

Post by some_dude_ » 2020/08/13 04:11:28

BShT wrote:
2020/08/12 14:54:07
viewtopic.php?f=54&t=75307
Yes this is the idea

some_dude_
Posts: 6
Joined: 2020/08/12 05:33:19

Re: Disabling/Removing shells

Post by some_dude_ » 2020/08/13 04:13:42

TrevorH wrote:
2020/08/12 15:19:32
Also, if you remove all shells then how will you ever connect to the machine to debug/fix problems?
The idea is, in case of an update we would start a new machine with the updated version and shutdown the current machine

some_dude_
Posts: 6
Joined: 2020/08/12 05:33:19

Re: Disabling/Removing shells

Post by some_dude_ » 2020/08/13 04:19:23

BShT wrote:
2020/08/12 14:51:24
create a user without shell and run the process as this user/group

this is the default behavior of most services like apache, postfix...

if you dont want to create a new one run it as nobody:nogroup
I will try this one, can anyone tell me if there is a way to completely stop the shells from starting. In case I scale up and down very frequently creating a new user is an overhead

User avatar
jlehtone
Posts: 3101
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Disabling/Removing shells

Post by jlehtone » 2020/08/13 09:07:08

some_dude_ wrote:
2020/08/13 04:19:23
In case I scale up and down very frequently creating a new user is an overhead
I don't believe that. When you "start a new machine", you have to install packages and useradd is nothing compared to that. For example, both kickstart and openstack's cloud config let you define users as part of the install rather than something that you do afterwards.

Note also that some of the fundamental services are shell scripts.

some_dude_
Posts: 6
Joined: 2020/08/12 05:33:19

Re: Disabling/Removing shells

Post by some_dude_ » 2020/08/17 05:04:03

jlehtone wrote:
2020/08/13 09:07:08
some_dude_ wrote:
2020/08/13 04:19:23
In case I scale up and down very frequently creating a new user is an overhead
I don't believe that. When you "start a new machine", you have to install packages and useradd is nothing compared to that. For example, both kickstart and openstack's cloud config let you define users as part of the install rather than something that you do afterwards.

Note also that some of the fundamental services are shell scripts.
What are services we are talking about here ? Can you help me with an example ?

User avatar
jlehtone
Posts: 3101
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Disabling/Removing shells

Post by jlehtone » 2020/08/22 22:17:52

What does package 'bash' offer?

Code: Select all

$ rpm -q --provides bash
/bin/bash
/bin/sh
bash = 4.2.46-34.el7
bash(x86-64) = 4.2.46-34.el7
config(bash) = 4.2.46-34.el7
Does any other package require any of those?

Code: Select all

rpm -q --whatrequires bash
rpm -q --whatrequires /bin/bash
rpm -q --whatrequires /bin/sh
The output of the latter two should be quite enlightening.

Post Reply

Return to “CentOS 7 - Security Support”