[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [d-security] Re: /etc/passwd->shell

On Fri, Jan 11, 2002 at 10:00:32PM -0500, Hubert Chan wrote:
> So daemon, bin, sys, ftp, www-data, mail, mysql, etc. can probably be
> set to /bin/false.  (Why does Debian not do this by default?)
Apart from the ftp users which (sometimes) need their ftp password to
be stored in /etc/shadow and thus would making it a valid login password
to, I can see no reason why not giving a user, that has *no* password,
a shell. 
Without a password in /etc/shadow or /etc/passwd he could not login and
if someone cracks the server with i.e. a buffer overflow he does not
depend on the passwd entries but executes /bin/bash directly.
On the other hand when executing "su -c daemonxy cronscriptxy" from 
your crontab or similar than you need a valid shell because the shell
relies on it when executing child programs.

BTW: for ftp and pop3 users I could imagine /bin/passwd beeing a nice shell
     because it would allow the users to change their password via ssh. 



Reply to: