Re: shell of place-holder accounts (shouldn't be a valid shell)

To: debian-devel@lists.debian.org
Subject: Re: shell of place-holder accounts (shouldn't be a valid shell)
From: "Stephen J. Carpenter" <sjc@delphi.com>
Date: Mon, 3 Aug 1998 12:23:43 -0400
Message-id: <[🔎] 19980803122343.B15398@mgh.harvard.edu>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 87r9yy9jqo.fsf@cush.dyn.ml.org>; from Daniel Martin at cush on Mon, Aug 03, 1998 at 11:18:39AM -0400
References: <199807312135.OAA11244@dilbert.ucdavis.edu> <[🔎] 19980802151546.00625@test.legislate.com> <[🔎] 87r9yy9jqo.fsf@cush.dyn.ml.org>

On Mon, Aug 03, 1998 at 11:18:39AM -0400, Daniel Martin at cush wrote:
> Raul Miller <rdm@test.legislate.com> writes:
> 
> > Chris Ulrich <cdulrich@ucdavis.edu> wrote:
> > >   On most unix systems, there are accounts that exist not for users
> > > but to make the filesystem look nice (uids get names instead of
> > > numbers with ls) or for security isolate special purpose processes
> > > from the rest of the system. Examples of this are the nobody user, for
> > > root squashed NFS, the qmail user for the different qmail daemons, the
> > > http user for the web server, and so on. Debian has quite a few of
> > > these users in the default /etc/passwd.
> 
> And note that "nobody" has a world writeable home directory - /tmp.

just a simple note....I havn't edited my /etc/passwd at all...certainly
never fidled with the nobody account...

nobody:x:65534:65534:nobody:/home:/bin/sh

/home isn't world writeable (yikes...just imagine...ewww)

> > However, overall I agree that passwordless system ids should all have
> > /bin/false.  (And there should be some well advertised debian mechanism
> > besides su for root to adopt these identities -- one that always uses
> > $SHELL or /bin/sh.)
> 
> sudo -u <user> /bin/sh
> does this, but many people don't want sudo.

I swear by sudo....its a great program (tho one to be carefull of...
I meant to "sudo slay lora" once and I forgot the sudo...
slay turned on me (mean setting on by default)

I was thinking...maybe it would be good to write /bin/noshell
and have noshell be a program which uses syslog to log a 
"sucessfull attempt to log on as...." and exit immediatly.
(or maybe have this as just an option?)
-Steve
-- 
/* -- Stephen Carpenter <sjc@delphi.com> --- <sjc@debian.org>------------ */
E-mail "Bumper Stickers":
"A FREE America or a Drug-Free America: You can't have both!"
"honk if you Love Linux"


--  
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- Re: shell of place-holder accounts (shouldn't be a valid shell)
  - From: Raul Miller <rdm@test.legislate.com>
- Re: shell of place-holder accounts (shouldn't be a valid shell)
  - From: Daniel Martin at cush <dtm12@jhunix.hcf.jhu.edu>

Prev by Date: Re: AFM font metrics location?
Next by Date: Re: Package maintainer script policy.
Previous by thread: Re: shell of place-holder accounts (shouldn't be a valid shell)
Next by thread: Re: shell of place-holder accounts (shouldn't be a valid shell)
Index(es):
- Date
- Thread