[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: /etc/shells policy?



Hi,
>>"Luis" == Luis Francisco Gonzalez <luisgh@cogs.susx.ac.uk> writes:

 Luis> there is an "oldish" bug report open on tcsh that complains
 Luis> about tcsh not deleting it's own entry from /etc/shells upon
 Luis> removal from the system.

	Since that file belongs to another package, and shells do not
 add to that file, shell should not delete entries from the file
 either. 

	Now, one may ask the asswd package to provide a simple
 (trivial) command to add and remove entries from the file. Howevr, I
 am not convinced that arbitary commands should be allowed to modify
 that file at all. The contents of that file are an important part of
 the security policy for a site.

______________________________________________________________________
     If two or more packages use the same configuration file, one of these
     packages has to be defined as *owner* of the configuration file, i.e.,
     it has to list the file as `conffile' and has to provide a program
     that modifies the configuration file.

     The other packages have to depend on the *owner* package and use that
     program to update the configuration file.
______________________________________________________________________

 Luis> http://www.debian.org/Bugs/db/16/16072.html

 Luis> Now, in my system I seem to have any imaginable shell included
 Luis> in that file, which belongs to the passwd package.

 Luis> The question is what should I do. AFAIK, /etc/shells is used to
 Luis> determine which shells can be used with chsh. I am not aware of
 Luis> any other use. I think it makes perfect sense that shells
 Luis> (un)register themselves in that file upon installation and in
 Luis> the pre-removal of the package. If the shell is used by some
 Luis> user (as shown in the /etc/passwd file) it should probably
 Luis> refuse to remove the package.

	Umm, no I do not want strange shells registering themselves. I
 would consider that a security hole. I have strong policies about
 what shells are acceptable as login shells (after all, *I* am the one
 who has to clean up the mess)
	

	manoj
-- 
 A master was explaining the nature of Tao to one of his novices. "The
 Tao is embodied in all software -- regardless of how insignificant,"
 said the master. "Is Tao in a hand-held calculator?" asked the
 novice. "It is," came the reply. "Is the Tao in a video game?"
 continued the novice. "It is even in a video game," said the
 master. "And is the Tao in the DOS for a personal computer?" The
 master coughed and shifted his position slightly.  "The lesson is
 over for today," he said. Geoffrey James, "The Tao of Programming"
Manoj Srivastava  <srivasta@acm.org> <http://www.datasync.com/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E


Reply to: