Re: [d-security] Re: /etc/passwd->shell
En réponse à Christian Hammers <ch@westend.com>:
> Apart from the ftp users which (sometimes) need their ftp password to
> be stored in /etc/shadow and thus would making it a valid login
> password
> to, I can see no reason why not giving a user, that has *no* password,
> a shell.
ok, but we can see that at the opposite,
if a user don t need a shell,
why should we give him one?
and perhaps am i too "stiff" (excuse me for my english :p)
but i thing a linux distribution like the debian
must be "coherent" :
why www-data and mail have got a shell
and not mysql???
it s just a principle for me :D
> Without a password in /etc/shadow or /etc/passwd he could not login
> and
> if someone cracks the server with i.e. a buffer overflow he does not
> depend on the passwd entries but executes /bin/bash directly.
ok, that s right.
> On the other hand when executing "su -c daemonxy cronscriptxy" from
> your crontab or similar than you need a valid shell because the shell
> relies on it when executing child programs.
ok
> BTW: for ftp and pop3 users I could imagine /bin/passwd beeing a nice
> shell
> because it would allow the users to change their password via ssh.
thanks for this advice,
and for all the rest
;D
-----
Ivan R.
sysadmin
Reply to: