Re: Why do system users have valid shells

To: Dariush Pietrzak <eyck@forumakad.pl>, debian-security@lists.debian.org
Subject: Re: Why do system users have valid shells
From: Russell Coker <russell@coker.com.au>
Date: Wed, 22 Oct 2003 20:27:37 +1000
Message-id: <[🔎] 200310222027.37719.russell@coker.com.au>
Reply-to: russell@coker.com.au
In-reply-to: <[🔎] 20031022100031.GA608@forumakad.pl>
References: <[🔎] 3F963594.9030905@gmx.net> <[🔎] 200310221941.33928.russell@coker.com.au> <[🔎] 20031022100031.GA608@forumakad.pl>

On Wed, 22 Oct 2003 20:00, Dariush Pietrzak wrote:
> > >  Do you understand the term 'breakage' ?
> >
> > Do you understand the term "testing"?
>
>  Why should I?

Because some of us have already performed extensive tests on this when it was 
raised previously.

The idea of giving non-login accounts a shell of /bin/false is hardly new.

> The question was - what can go wrong. Well, the thing I mentioned can go
> wrong. It's not a "bs argument", and not even "very bs argument", since I'm
> not arguing about anything, just pointing to potential source of problems.
>  And before we can go on with testing maybe we should think for a second
> what could go wrong? If you ask question 'What can go wrong', answer
> 'ooh, probably nothing' has rather low informational value.

Which is why in my answer I told you that I had run it for a period of years 
on a number of machines and not found problems.

> > Some of us have run fairly complete Linux machines for years with most of
> > those accounts set to /bin/bash for their shell without any problems.  I
>
>  /bin/bash? It's a typo, right?

Yes, meant to say /bin/false.

> > whinged at me all the time, and the other is that I have little need for
> > such measures now that I'm running SE Linux on all important machines.
>
>  Good for you, I envy you, I ain't got enough time to setup and maintain
> SE Linux on my machines.

Which is why you can benefit from using /bin/false for such accounts.

> > without breakage I am quite confident that we can get these things right.
>
>  That's the point 'we can get these things right'. Of course we can, and we
> should, but I don't think we can just flip the switch and forget about
> this. The best course of action would be to gather possible sources of
> problems first, then test the change, etc..

So we start by getting some developers to test it (which has already been 
done).  Then we get a version of base-passwd to change some of the shells in 
unstable (as it's only in unstable initially and users get asked whether they 
want to update /etc/passwd it should not be a problem).  After that if we 
have no problems it will migrate into testing.

Running around saying "oh no things might break" does not help.  Do the tests 
and you'll find that very little breaks even if you change all non-user 
accounts to have /bin/false as the shell.  Last time I tested this 
extensively the only thing that broke was "man".  I think I submitted a bug 
report against man-db about it, it may be fixed now.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to:

Follow-Ups:
- Re: Why do system users have valid shells
  - From: "Joe Moore" <joemoore@iegrec.org>

References:
- Why do system users have valid shells
  - From: Tobias Reckhard <jester71@gmx.net>
- Re: Why do system users have valid shells
  - From: Russell Coker <russell@coker.com.au>
- Re: Why do system users have valid shells
  - From: Dariush Pietrzak <eyck@forumakad.pl>

Prev by Date: Re: Why do system users have valid shells
Next by Date: Re: Why do system users have valid shells
Previous by thread: Re: Why do system users have valid shells
Next by thread: Re: Why do system users have valid shells
Index(es):
- Date
- Thread