Re: Why do system users have valid shells

To: debian-security@lists.debian.org
Subject: Re: Why do system users have valid shells
From: Dariush Pietrzak <eyck@forumakad.pl>
Date: Wed, 22 Oct 2003 12:00:31 +0200
Message-id: <[🔎] 20031022100031.GA608@forumakad.pl>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 200310221941.33928.russell@coker.com.au>
References: <[🔎] 3F963594.9030905@gmx.net> <[🔎] 20031022103101.00d0a98d.vdongen@hetisw.nl> <[🔎] 20031022092754.GA30171@forumakad.pl> <[🔎] 200310221941.33928.russell@coker.com.au>

On Wed, Oct 22, 2003 at 07:41:33PM +1000, Russell Coker wrote:
> On Wed, 22 Oct 2003 19:27, Dariush Pietrzak wrote:
> > > 'su -s /bin/bash -c "cmd" user '
> > >
> > > sounds like a very bs argument
> >
> >  Do you understand the term 'breakage' ?
> 
> Do you understand the term "testing"?
 Why should I? 
The question was - what can go wrong. Well, the thing I mentioned can go
wrong. It's not a "bs argument", and not even "very bs argument", since I'm
not arguing about anything, just pointing to potential source of problems.
 And before we can go on with testing maybe we should think for a second 
what could go wrong? If you ask question 'What can go wrong', answer 
'ooh, probably nothing' has rather low informational value.

> Some of us have run fairly complete Linux machines for years with most of 
> those accounts set to /bin/bash for their shell without any problems.  I 
 /bin/bash? It's a typo, right?

> whinged at me all the time, and the other is that I have little need for such 
> measures now that I'm running SE Linux on all important machines.
 Good for you, I envy you, I ain't got enough time to setup and maintain
SE Linux on my machines.

> Linux I think that there are some good benefits to be achieved by making the 
> shells of those accounts be /bin/bash by default.
 I'm using ash instead of bash for non-interactive stuff, it's easier on
resources;)

> without breakage I am quite confident that we can get these things right.
 That's the point 'we can get these things right'. Of course we can, and we
should, but I don't think we can just flip the switch and forget about
this. The best course of action would be to gather possible sources of
problems first, then test the change, etc..

> We can start with "bin", "daemon", "sys", and "sync" which are the least 
> likely accounts to need a login shell.  After those changes have been tested 
> to everyone's satisfaction we can then move on to others.
Now you're talking.

-- 
Dariush Pietrzak,
Key fingerprint = 40D0 9FFB 9939 7320 8294  05E0 BCC7 02C4 75CC 50D9

Reply to:

Follow-Ups:
- Re: Why do system users have valid shells
  - From: Russell Coker <russell@coker.com.au>

References:
- Why do system users have valid shells
  - From: Tobias Reckhard <jester71@gmx.net>
- Re: Why do system users have valid shells
  - From: I.R.van Dongen <vdongen@hetisw.nl>
- Re: Why do system users have valid shells
  - From: Dariush Pietrzak <eyck@forumakad.pl>
- Re: Why do system users have valid shells
  - From: Russell Coker <russell@coker.com.au>

Prev by Date: Re: Why do system users have valid shells
Next by Date: Re: Why do system users have valid shells
Previous by thread: Re: Why do system users have valid shells
Next by thread: Re: Why do system users have valid shells
Index(es):
- Date
- Thread