[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

shell of place-holder accounts (shouldn't be a valid shell)

  Since the discussion of /bin/sh seems to be winding down, I thought I'd
bring up another pet peeve of mine (about all unixes, not just debian).

  On most unix systems, there are accounts that exist not for users but to
make the filesystem look nice (uids get names instead of numbers with ls) or
for security isolate special purpose processes from the rest of the system.
Examples of this are the nobody user, for root squashed NFS, the qmail
user for the different qmail daemons, the http user for the web server, and
so on.  Debian has quite a few of these users in the default /etc/passwd.

  Given that these accounts *never* need to have someone use them, it
seems like a needless security flaw to give them a shell in /etc/passwd.

  While it is true that these accounts have no possible password, that does
not mean that account can't log onto the system.  There are several 
mechanisms used to allow a user to log onto a system:
password verification (used by login, ftp, imap/pop, ssh, xdm/dtlogin)
file based verification (used by r-daemons remsh/rlogin, ssh)
magic verification (kerberos and one-time-pad mechanisms)

  If a security hole in a program or a misconfigured machine allow a remote
badguy to put a .rhosts or .ssh/authorized_keys file into the home directory
of a 'place holder' account, that account suddenly allows the badguy onto 
the machine.  Because the placeholder accounts have home directories all over
the filesystem, almost any innocent NFS misconfiguration may allow this to 

  I will acknowledge that this is not a huge concern in the majority of 
situations.  I think, though, that the cost of changing these account's shells
to /bin/false is not high at all.  In situations where the account is sometimes
used for interactive logins or is accessed by su, it is reasonable to give
that account a live shell, but this should only be done on an as needed basis.


 Chris Ulrich        cdulrich@ucdavis.edu        530 754 4355

To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: