Re: System users and valid shells...

[Richard A Nelson <cowboy@debian.org>]

On Wed, 3 May 2006, Colin Watson wrote:

> On Wed, May 03, 2006 at 02:45:56AM +0200, Uwe Hermann wrote:
> > this may be a dumb question, but I really wonder if there's a policy
> > (which I obviously haven't found) about which system users should get
> > a valid shell and which shouldn't.

Yeah, I had the same thoughts when I first installed tiger

> This is bug #330882, and is basically because I'm exceptionally
> conservative when it comes to base-passwd and it's rather hard to tell
> whether anything in Debian might be relying on any of those users having
> a valid shell.

I worried about that as well

> I'm willing to change these, but I'd like to do it on a case-by-case
> basis after scanning the archive for potential problems. At the moment
> I'm not even sure how to begin that scan ...

As as a small datapoint, I took 4 machines I could play with and just
fixed all the IDs tiger bitched about - and waited for the fallout.

The results so far (several months later):
	* fetchmail needs a shell (likely because of my pam.d & auth)
	* news needs a shell to do any maintenance
	* uucp needs a shell

The rest of the system accounts are happily running with /bin/false

I'm sure a few more folk could do likewise, and with some tracking,
this should be fairly easy to nail down...  With more testers, the
faster we'd find the few exceptions.
--
Rick Nelson
"By golly, I'm beginning to think Linux really *is* the best thing since
sliced bread."
(By Vance Petree, Virginia Power)