[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tech-ctte: More specific advice regarding merged-/usr and implications of #978636

Sam Hartman <hartmans@debian.org> writes:
>>>>>> "Josh" == Josh Triplett <josh@joshtriplett.org> writes:

>     Josh> Over the years, I've seen a few proposals floated to consider
>     Josh> dropping /etc/shells; this would just require dropping
>     Josh> pam_shells.so from /etc/pam.d/chsh. That would also have the
>     Josh> side effect of solving this problem, and making one less thing
>     Josh> requiring maintainer scripts.

> I think that would be a really bad idea.
> The issue is not on the chsh side, but more that membership in
> /etc/shells is a really good (but not perfect) indicator about whether
> this is an account that supports normal logins.

I agree with Sam on this: I would not couple discussion of dropping this
mechanism with usrmerge, and I would be very cautious here.

There are a lot of facilities in Debian that are mostly internal plumbing
and that only a few administrators are likely to fiddle with (and those
often being sophisticated users who follow Debian closely).  This is not
one of them.  /etc/shells is a very old UNIX security mechanism, and while
I would not design it today the way that it was designed, and it has a lot
of caveats and weird edge cases, it is a security mechanism that predates
the existence of Linux and that was (and probably, to a lesser extent, is)
used in a wide variety of older environments and configurations.

This is the sort of operating system facility that may be a load-bearing
security control for systems where everyone has forgotten that it is
security-critical.  It is possible, even likely, that there exist
production Debian systems in the wild where the /etc/shells mechanism is
the primary control standing in the way of an obvious privilege escalation
vulnerability.  To be clear, that's not a great situation for those
systems to be in, since this mechanism is a bit fragile and probably not
as strong as one would like!  But nonetheless we should be very careful
about taking any action that might break its historical properties.

Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to: