Interestingly enough, on my Ubuntu derivative with nginx installed with apt, the www-data user has a shell:
$ cat /etc/passwdwww-data:x:33:33:www-data:/var/www:/bin/shShouldn't this be set to something like /bin/false? Even though the user can't log in, isn't it dangerous to provide a shell for a system user like this by default?