On Mon, 31 Mar 2003 at 08:07:05PM +0100, Dale Amon wrote: > I have heard it so argued and remain to be convinced. > I have a cfengine script that overwrites the work of > debian packages in passwd within minutes of an upgrade. > All non-real users get /dev/false for a shell on my > systems. If it breaks some arcane feature... tough. This is ridiculous and in no way increases the security of your system since no one can log in to those accounts anyhow! Plus if I have access to gain privs to that account (be it an exploit or whatever) I can place a system call to a REAL command interpreter (say /bin/sh or whatever your favorite is). Doing this serves absolutely no purpose but to break parts of your system...but it is your system so have at it. A great way to secure your system has also been to run (as root) "rm -rf /" and then reboot your machine to apply the update. But I don't think anyone would seriously recommend that as a way of "Improving security", just like one wouldn't consider giving a no-loginable account an invalid shell. Like I said...your system, I won't get in to a flame war over it. -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #183: Ionization from the air-conditioning
Attachment:
pgpYf2YwT4vzy.pgp
Description: PGP signature