Re: /etc/passwd->shell

To: "Ivan R." <ivan.rambeau@franceonline.fr>
Cc: debian-security@lists.debian.org
Subject: Re: /etc/passwd->shell
From: Christian Hammers <ch@westend.com>
Date: Sun, 13 Jan 2002 07:27:28 +0100
Message-id: <[🔎] 20020113062728.GB26462@westend.com>
Mail-followup-to: Christian Hammers <ch@westend.com>, "Ivan R." <ivan.rambeau@franceonline.fr>, debian-security@lists.debian.org
In-reply-to: <[🔎] 1011009169.3c42c691a9bee@mail.franceonline.fr>
References: <[🔎] 1010964533.3c421835c70b0@mail.franceonline.fr> <[🔎] 87g05c5l4f.fsf@hackerhue.ddts.net> <[🔎] 20020112034048.GA20028@westend.com> <[🔎] 1011009169.3c42c691a9bee@mail.franceonline.fr>

On Mon, Jan 14, 2002 at 06:52:49AM -0500, Ivan R. wrote:
> > to, I can see no reason why not giving a user, that has *no* password,
> > a shell. 
> 
> if a user don t need a shell,
> why should we give him one?
Because a sysadmin could like to execute scripts under this uid via sudo 
as he thinks it's a security gain to not run every cronscript under root.
(security in this case more in the sense "secure that this script does not
'rm -rf /' and beeing secure that he does not forgets a chown afterwards 
which could otherwise be necessary). 

> but i thing a linux distribution like the debian
> must be "coherent" : why www-data and mail have got a shell
> and not mysql???
Well, um, I as the mysql maintainer should be able to tell it but mainly
I guess because I was told (years ago) the same thing about "/bin/bash" in
/etc/passwd is a securty problem. In the meantime, I'm didn't found a 
valid argument for this sentence but I can't change it easily because
people could have used the account "mysql" for e.g. ftp user (for whatever
reason) and if I would give this user a shell they would immediately and 
maybe without the admin realizing it be able to login via ssh.

BTW, speaking of FTP servers, I would encourage everybody to use recent
servers like e.g. proftpd which have their own passwd/group files and need
the "system" accounts only to get the UID and ignore the systems shell and
password so a www-data user could not login via ssh even if he had a valid
ftp account and a valid shell in /etc/passwd.

bye,

-christian-

Reply to:

References:
- /etc/passwd->shell
  - From: "\"Ivan R.\"" <ivan.rambeau@franceonline.fr>
- Re: /etc/passwd->shell
  - From: Hubert Chan <hackerhue@geek.com>
- Re: [d-security] Re: /etc/passwd->shell
  - From: Christian Hammers <ch@westend.com>
- Re: [d-security] Re: /etc/passwd->shell
  - From: "\"Ivan R.\"" <ivan.rambeau@franceonline.fr>

Prev by Date: Re: SSH configuration problem
Next by Date: Re: configuring Checksecurity to email reports to root
Previous by thread: Re: [d-security] Re: /etc/passwd->shell
Next by thread: Re: /etc/passwd->shell
Index(es):
- Date
- Thread