[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: System users and valid shells...

On Wed, May 03, 2006 at 02:45:56AM +0200, Uwe Hermann wrote:
> Security-wise it's probably a good idea to give as few users as possible
> a valid shell, all others should get /bin/false, right?

AFAIK, this is already being done in Red Hat, SuSE, FreeBSD and OpenBSD for
many system users. And is the recommended practice for disabling users (per
CERT's http://www.cert.org/tech_tips/unix_configuration_guidelines.html).
This is recommended because even if a user has a disabled password some
(network) services might allow remote login under certain circumstances.

In any case, and this is Debian-specific, you might want to read through
the following discussions:
(continued in http://lists.debian.org/debian-devel/1998/08/msg00084.html)
(1998! gasp!) for insightful comments for (some even against) this practice.

In any case, you could use noshell (already available in Debian) or nologin
(see #298782) instead of /bin/false. Those will provide also logging
capabilities (i.e. when somebody tries to use the shell this is noted in
syslog). That helps detect misuse and also detect which users *do* need a
shell for some reason (as they would trigger the log messages and you are
reviewing the logs, aren't you? :-)



Attachment: signature.asc
Description: Digital signature

Reply to: