[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Moving bash from essential/required to important?

On 04/04/2011 10:42 PM, Steve Langasek wrote:
> On Mon, Apr 04, 2011 at 08:32:50PM +0100, Lars Wirzenius wrote:
>> On ma, 2011-04-04 at 19:43 +0100, Roger Leigh wrote:
>>> Regarding the root shell issue, I wouldn't have an issue with it
>>> being /bin/sh.  The admin is always free to chsh it to the shell
>>> of their choice.
>> We could even have d-i set the root shell to bash if it installs bash.
>> Or have bash do it always, even, if root's shell is /bin/sh.
> This doesn't address the problem that the package manager will no longer be
> treating bash as Essential, with the result that root's login shell may be
> rendered unusable at some point during an upgrade.  It also removes the
> requirement that the bash maintainer ensure the package is usable when
> unpacked but not yet configured.  How do we mitigate this?  The latter could
> be mitigated by calling out the requirement separately in Policy, but what
> about the former?

What about Roger's suggestion to have the root account passwordless and
locked with sudo access? Are there other drawbacks to that proposal (is
booting in single user mode covered for instance?)?

> Users who have made a conscious decision to use a different shell as their
> root shell (such as zsh) may have accepted this incremental increase in
> risk, but I'm not convinced that we want to do this for all users by default
> (if bash is still Priority: required, it will be installed by default, so
> all users will be affected unless they opt out).

I guess this is not so much an issue anymore when the account is locked?

> And if /bin/sh is going to be dash (which I think is what we want), I
> wouldn't like to inflict that on anyone as the default root login shell.

In single user mode this would still be the case I guess? Though that
would not have a big impact anymore I guess?



Reply to: