[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: /etc/passwd->shell

On Mon, Jan 14, 2002 at 06:52:49AM -0500, Ivan R. wrote:
> > to, I can see no reason why not giving a user, that has *no* password,
> > a shell. 
> if a user don t need a shell,
> why should we give him one?
Because a sysadmin could like to execute scripts under this uid via sudo 
as he thinks it's a security gain to not run every cronscript under root.
(security in this case more in the sense "secure that this script does not
'rm -rf /' and beeing secure that he does not forgets a chown afterwards 
which could otherwise be necessary). 

> but i thing a linux distribution like the debian
> must be "coherent" : why www-data and mail have got a shell
> and not mysql???
Well, um, I as the mysql maintainer should be able to tell it but mainly
I guess because I was told (years ago) the same thing about "/bin/bash" in
/etc/passwd is a securty problem. In the meantime, I'm didn't found a 
valid argument for this sentence but I can't change it easily because
people could have used the account "mysql" for e.g. ftp user (for whatever
reason) and if I would give this user a shell they would immediately and 
maybe without the admin realizing it be able to login via ssh.

BTW, speaking of FTP servers, I would encourage everybody to use recent
servers like e.g. proftpd which have their own passwd/group files and need
the "system" accounts only to get the UID and ignore the systems shell and
password so a www-data user could not login via ssh even if he had a valid
ftp account and a valid shell in /etc/passwd.



Reply to: