Re: Why do system users have valid shells

To: I.R.van Dongen <vdongen@hetisw.nl>, debian-security@lists.debian.org
Subject: Re: Why do system users have valid shells
From: Russell Coker <russell@coker.com.au>
Date: Wed, 22 Oct 2003 21:50:32 +1000
Message-id: <[🔎] 200310222150.32218.russell@coker.com.au>
Reply-to: russell@coker.com.au
In-reply-to: <[🔎] 20031022133753.7fc59a8c.vdongen@hetisw.nl>
References: <[🔎] 3F963594.9030905@gmx.net> <[🔎] 3F9658DB.3020006@gmx.net> <[🔎] 20031022133753.7fc59a8c.vdongen@hetisw.nl>

On Wed, 22 Oct 2003 21:37, I.R.van Dongen wrote:
> > > If the shells are changed, there are some really big consequences,
> > > but
> >
> > Such as? Please share your knowledge. :-)
>
> - manually compiled postgresql (user:postgres) expects the user it runs
> as to have a valid shell (I'm not sure about the debian package)-

The Debian package used to have a number of bugs related to this.  There was 
quite a big of work done on improving the situation, I am not sure if it's 
entirely fixed.

Postgresql is known to be a program with seriously buggy scripts etc.  I've 
filed several bug reports and sent in patches.  It has improved a lot, I hope 
that the Debian package no longer has such issues.

As for manual compilation, if you compile things manually then it's your 
responsibility to do whatever is necessary to make it work.  Often manual 
compilation requires specifying locations of header files and libraries, 
using special -D options for compilation, and sometimes requires patching the 
source to deal with differences between the way other things work on a Debian 
system to the system that the upstream author coded for.

People who choose to compile the program themself instead of using a .deb are 
best advised to start with "apt-get source".  If they choose to do otherwise 
then it's their issue.

> backports and 3th party debs might contain scripts that use the 'su -c'
> as mentioned above.- home made script, or scripts copyed out of manuals/
> from webpages might expect valid shells.

Such scripts may expect special directories under /var, /opt, or /usr/local.  
They may expect special file names under /etc, they may expect BSD or Solaris 
names for device nodes.  We can't do everything that is necessary to get such 
things to work.

> I didn't research the impact yet, so there might be more/less problems.

Research it first, then compare notes with all the other people who have 
already researched it.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to:

References:
- Why do system users have valid shells
  - From: Tobias Reckhard <jester71@gmx.net>
- Re: Why do system users have valid shells
  - From: Tobias Reckhard <jester71@gmx.net>
- Re: Why do system users have valid shells
  - From: I.R.van Dongen <vdongen@hetisw.nl>

Prev by Date: Re: Why do system users have valid shells
Next by Date: Reiserfs 3.6 and ACL support
Previous by thread: Re: Why do system users have valid shells
Next by thread: Re: Why do system users have valid shells
Index(es):
- Date
- Thread