Re: tech-ctte: More specific advice regarding merged-/usr and implications of #978636
Sam Hartman <hartmans@debian.org> writes:
>>>>>> "Josh" == Josh Triplett <josh@joshtriplett.org> writes:
> Josh> Over the years, I've seen a few proposals floated to consider
> Josh> dropping /etc/shells; this would just require dropping
> Josh> pam_shells.so from /etc/pam.d/chsh. That would also have the
> Josh> side effect of solving this problem, and making one less thing
> Josh> requiring maintainer scripts.
> I think that would be a really bad idea.
> The issue is not on the chsh side, but more that membership in
> /etc/shells is a really good (but not perfect) indicator about whether
> this is an account that supports normal logins.
I agree with Sam on this: I would not couple discussion of dropping this
mechanism with usrmerge, and I would be very cautious here.
There are a lot of facilities in Debian that are mostly internal plumbing
and that only a few administrators are likely to fiddle with (and those
often being sophisticated users who follow Debian closely). This is not
one of them. /etc/shells is a very old UNIX security mechanism, and while
I would not design it today the way that it was designed, and it has a lot
of caveats and weird edge cases, it is a security mechanism that predates
the existence of Linux and that was (and probably, to a lesser extent, is)
used in a wide variety of older environments and configurations.
This is the sort of operating system facility that may be a load-bearing
security control for systems where everyone has forgotten that it is
security-critical. It is possible, even likely, that there exist
production Debian systems in the wild where the /etc/shells mechanism is
the primary control standing in the way of an obvious privilege escalation
vulnerability. To be clear, that's not a great situation for those
systems to be in, since this mechanism is a bit fragile and probably not
as strong as one would like! But nonetheless we should be very careful
about taking any action that might break its historical properties.
--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>
Reply to: