Re: The 'users' gid: sync, games, and man

To: Colin Watson <cjwatson@debian.org>
Cc: debian-devel@lists.debian.org, 25882@bugs.debian.org
Subject: Re: The 'users' gid: sync, games, and man
From: Russell Coker <russell@coker.com.au>
Date: Tue, 11 Feb 2003 13:23:49 +0100
Message-id: <[🔎] 200302111323.49676.russell@coker.com.au>
Reply-to: Russell Coker <russell@coker.com.au>
In-reply-to: <[🔎] 20030211101756.GD13521@riva.ucam.org>
References: <[🔎] 20030209123419.GA17807@riva.ucam.org> <[🔎] 20030209132053.GL26430@cibalia.gkvk.hr> <[🔎] 20030211101756.GD13521@riva.ucam.org>

On Tue, 11 Feb 2003 11:17, Colin Watson wrote:
> +games:*:5:60:games:/usr/games:/bin/sh
> +man:*:6:12:man:/var/cache/man:/bin/sh

That is good apart from one thing.  I don't think that there is any good 
reason for giving a login shell for "games" or "man".  No-one should ever 
login to those accounts in a normal setup and therefore the default shell 
should be /bin/false.

There have been a number of security holes that would work if you give such 
accounts a shell of /bin/sh but which would not work if the shell was 
/bin/false.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to:

Follow-Ups:
- Re: Bug#25882: The 'users' gid: sync, games, and man
  - From: Colin Watson <cjwatson@debian.org>

References:
- The 'users' gid: sync, games, and man
  - From: Colin Watson <cjwatson@debian.org>
- Re: The 'users' gid: sync, games, and man
  - From: Josip Rodin <joy@gkvk.hr>
- Re: The 'users' gid: sync, games, and man
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Re: Please don't non-bugs in changelog (again)
Next by Date: Re: buildd questions
Previous by thread: Re: The 'users' gid: sync, games, and man
Next by thread: Re: Bug#25882: The 'users' gid: sync, games, and man
Index(es):
- Date
- Thread