[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: noboby with a shell !!



On Mon, 31 Mar 2003 at 08:07:05PM +0100, Dale Amon wrote:
> I have heard it so argued and remain to be convinced.
> I have a cfengine script that overwrites the work of
> debian packages in passwd within minutes of an upgrade.
> All non-real users get /dev/false for a shell on my
> systems.  If it breaks some arcane feature... tough.

This is ridiculous and in no way increases the security of your system
since no one can log in to those accounts anyhow!  Plus if I have access
to gain privs to that account (be it an exploit or whatever) I can place
a system call to a REAL command interpreter (say /bin/sh or whatever
your favorite is).  Doing this serves absolutely no purpose but to break
parts of your system...but it is your system so have at it.  A great way
to secure your system has also been to run (as root) "rm -rf /" and then
reboot your machine to apply the update.  But I don't think anyone would
seriously recommend that as a way of "Improving security", just like one
wouldn't consider giving a no-loginable account an invalid shell.

Like I said...your system, I won't get in to a flame war over it.

-- 
Phil

PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import
--
Excuse #183: Ionization from the air-conditioning 

Attachment: pgpAXWZGA60dc.pgp
Description: PGP signature


Reply to: