Re: Why do system users have valid shells

To: <debian-security@lists.debian.org>
Subject: Re: Why do system users have valid shells
From: "Joe Moore" <joemoore@iegrec.org>
Date: Wed, 22 Oct 2003 06:39:39 -0400 (EDT)
Message-id: <[🔎] 1843.216.196.203.220.1066819179.squirrel@www.iegrec.org>
In-reply-to: <[🔎] 200310222027.37719.russell@coker.com.au>
References: <[🔎] 200310222027.37719.russell@coker.com.au>

Russell Coker said:
> The idea of giving non-login accounts a shell of /bin/false is hardly
> new.

Out of curiosity, what security benefit does a shell of /bin/false grant,
that say, an encrypted password of "NOLOGIN" (or equivalently "*") does not
grant?

In what circumstances would a process be started using the shell field of
/etc/passwd without checking the password in either /etc/password and/or
/etc/shadow?

How many of those circumstances rely on having UID0 access to set userids?
(and thus write access to /etc/passwd and/or the chsh command)

This is very similar to the discussion last week on "read-only" /usr mounts.
 Setting the shell to /bin/false does not change the security character of
the system.

You'd have to be root to run something as user "bin", and if you're root,
you can change "bin"'s shell.

--Joe
* A more important consideration is the location of "bin"'s $HOME.

Reply to:

Follow-Ups:
- Re: Why do system users have valid shells
  - From: Russell Coker <russell@coker.com.au>
- Re: Why do system users have valid shells
  - From: Bernd Eckenfels <ecki@calista.eckenfels.6bone.ka-ip.net>

References:
- Re: Why do system users have valid shells
  - From: Russell Coker <russell@coker.com.au>

Prev by Date: Reiserfs 3.6 and ACL support
Next by Date: unsubscribe
Previous by thread: Re: Why do system users have valid shells
Next by thread: Re: Why do system users have valid shells
Index(es):
- Date
- Thread