Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I don't think the www user has a password in any distro, by default.

Meaning one of his administrators must have set one (likely for temporary troubleshooting), kicking off the whole issue...

edit: if SSH access was indeed the first cause. Running any upload-and-run script as `www` would let them set the password themselves, I think.



For anyone wondering how to properly troubleshoot in this manner without breaking things:

Run 'sudo su www -s /bin/bash'. using '-s /bin/bash' will override the usual nologin shell, and running 'su' as root will mean a passwordless account can be su'd too.

This will allow you to try accessing files and directories as if you had the user 'www's privileges without having to make the 'www' account regularly usable.

You should never set a real shell or password for any accounts that a real user will not be using.


Probably an administrator troubleshooting, www user should also have a nologin shell by default which cannot be changed by a normal user via an uploaded script.

Maybe default settings are production settings after all!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: