shell of place-holder accounts (shouldn't be a valid shell)
Since the discussion of /bin/sh seems to be winding down, I thought I'd
bring up another pet peeve of mine (about all unixes, not just debian).
On most unix systems, there are accounts that exist not for users but to
make the filesystem look nice (uids get names instead of numbers with ls) or
for security isolate special purpose processes from the rest of the system.
Examples of this are the nobody user, for root squashed NFS, the qmail
user for the different qmail daemons, the http user for the web server, and
so on. Debian has quite a few of these users in the default /etc/passwd.
Given that these accounts *never* need to have someone use them, it
seems like a needless security flaw to give them a shell in /etc/passwd.
While it is true that these accounts have no possible password, that does
not mean that account can't log onto the system. There are several
mechanisms used to allow a user to log onto a system:
password verification (used by login, ftp, imap/pop, ssh, xdm/dtlogin)
file based verification (used by r-daemons remsh/rlogin, ssh)
magic verification (kerberos and one-time-pad mechanisms)
If a security hole in a program or a misconfigured machine allow a remote
badguy to put a .rhosts or .ssh/authorized_keys file into the home directory
of a 'place holder' account, that account suddenly allows the badguy onto
the machine. Because the placeholder accounts have home directories all over
the filesystem, almost any innocent NFS misconfiguration may allow this to
I will acknowledge that this is not a huge concern in the majority of
situations. I think, though, that the cost of changing these account's shells
to /bin/false is not high at all. In situations where the account is sometimes
used for interactive logins or is accessed by su, it is reasonable to give
that account a live shell, but this should only be done on an as needed basis.
Chris Ulrich email@example.com 530 754 4355
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com