Re: /etc/passwd->shell
On Mon, Jan 14, 2002 at 06:52:49AM -0500, Ivan R. wrote:
> > to, I can see no reason why not giving a user, that has *no* password,
> > a shell.
>
> if a user don t need a shell,
> why should we give him one?
Because a sysadmin could like to execute scripts under this uid via sudo
as he thinks it's a security gain to not run every cronscript under root.
(security in this case more in the sense "secure that this script does not
'rm -rf /' and beeing secure that he does not forgets a chown afterwards
which could otherwise be necessary).
> but i thing a linux distribution like the debian
> must be "coherent" : why www-data and mail have got a shell
> and not mysql???
Well, um, I as the mysql maintainer should be able to tell it but mainly
I guess because I was told (years ago) the same thing about "/bin/bash" in
/etc/passwd is a securty problem. In the meantime, I'm didn't found a
valid argument for this sentence but I can't change it easily because
people could have used the account "mysql" for e.g. ftp user (for whatever
reason) and if I would give this user a shell they would immediately and
maybe without the admin realizing it be able to login via ssh.
BTW, speaking of FTP servers, I would encourage everybody to use recent
servers like e.g. proftpd which have their own passwd/group files and need
the "system" accounts only to get the UID and ignore the systems shell and
password so a www-data user could not login via ssh even if he had a valid
ftp account and a valid shell in /etc/passwd.
bye,
-christian-
Reply to: