Re: [d-security] Re: /etc/passwd->shell

["\"Ivan R.\"" <ivan.rambeau@franceonline.fr>]

En réponse à Christian Hammers <ch@westend.com>:


> Apart from the ftp users which (sometimes) need their ftp password to
> be stored in /etc/shadow and thus would making it a valid login
> password
> to, I can see no reason why not giving a user, that has *no* password,
> a shell. 

ok, but we can see that at the opposite,
if a user don t need a shell,
why should we give him one?
and perhaps am i too "stiff" (excuse me for my english :p)
but i thing a linux distribution like the debian
must be "coherent" :
why www-data and mail have got a shell
and not mysql???
it s just a principle for me :D

> Without a password in /etc/shadow or /etc/passwd he could not login
> and
> if someone cracks the server with i.e. a buffer overflow he does not
> depend on the passwd entries but executes /bin/bash directly.

ok, that s right.

> On the other hand when executing "su -c daemonxy cronscriptxy" from 
> your crontab or similar than you need a valid shell because the shell
> relies on it when executing child programs.

ok

> BTW: for ftp and pop3 users I could imagine /bin/passwd beeing a nice
> shell
>      because it would allow the users to change their password via ssh.

thanks for this advice,
and for all the rest

;D

-----
Ivan R.
sysadmin