Interestingly enough, on my Ubuntu derivative with nginx installed with apt
, the www-data
user has a shell:
$ cat /etc/passwdwww-data:x:33:33:www-data:/var/www:/bin/sh
Shouldn't this be set to something like /bin/false
? Even though the user can't log in, isn't it dangerous to provide a shell for a system user like this by default?