[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1794: /bin/sh is shell when none specified in /etc/passwd

Package: ?

I recently created a special-purpose entry in /etc/passwd, with an
empty shell field.  I was surprised to see that `finger' reported the
shell as `/bin/sh', and tried using `su' from a root shell to su to
the account.  Sure enough, I got a shell.

This seems wrong to me, particularly in the light of the many `system'
entries in /etc/passwd that have no shell in their shell field.  It's
not clear that there is a real vulnerability here, but I would feel
happier if things in general didn't treat an absent shell field as

In the meantime I've changed the shells for `mail', &c, to


Reply to: