Re: Why do system users have valid shells
On Wed, 22 Oct 2003 18:50, Tobias Reckhard wrote:
> > also su user -c command won't work, you'll need to use sudo or suid bit,
> > and that's a bit messy.
>
> This is true, when I need to su to this user's account (for
> troubleshooting, usually), I need to 'chsh -s /bin/bash mirror' first
> (and change it back later). However, I only need to do this very seldom.
> And I haven't ever needed to su to daemon, bin, sys, games, man, lp,
> mail, news, uucp, proxy, postgres, www-data, backup, operator, list,
> irc, gnats, nobody, amavis or cyrus. That's the list of user accounts
> with shell /bin/sh on my Debian box.
Also I think it should be noted that even if there is some unusual
administrative action that requires having a valid shell, the administrator
could always change the shell, perform the action, then change it back.
Having a valid shell all the time because it might be needed at some time is
not a good idea.
I recall that there was a bug in pam in unstable at one time that would allow
logging in to those accounts. Setting the shells to /bin/false would have
prevented that bug from being a problem.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
Reply to: