On Fri, Feb 02, 2001 at 04:27:52PM +0300, Vasily Korytov wrote: > Hello Magus, > > > I have a question about /etc/passwd... > > > I typically go thru and put a * in all accounts except for 'root' and change > > the shell to '/bin/false' when I first setup a box, to make sure the account > > cannot be logged into. Is there a specific reason why this is not done? Are > > there any implications I just haven't noticed about doing this? Am I just > > retarded and missing something obvious? It doesn't seem to break anything > > when I do that, but thought I'd ask for someone else's input/opinion. > > No `su user -c' can be done with invalid shell. actually su user -c does not work with the shell set to /bin/false or /bin/true. however su -s /bin/sh user works. btw changing nobody's shell to /bin/false will cause your locate database to never be run since updatelocatedb uses su nobody -c. you can cheat by changing the --localuser option in /etc/cron.daily to --localuser='-s /bin/sh nobody' but i don't think bogus shells really adds much security, other then perhaps being caught by pam_shells.so which will reject logins to accounts with a shell not listed in /etc/shells. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpPYj6j20aME.pgp
Description: PGP signature