Re: Why do system users have valid shells
Russell Coker said:
> The idea of giving non-login accounts a shell of /bin/false is hardly
> new.
Out of curiosity, what security benefit does a shell of /bin/false grant,
that say, an encrypted password of "NOLOGIN" (or equivalently "*") does not
grant?
In what circumstances would a process be started using the shell field of
/etc/passwd without checking the password in either /etc/password and/or
/etc/shadow?
How many of those circumstances rely on having UID0 access to set userids?
(and thus write access to /etc/passwd and/or the chsh command)
This is very similar to the discussion last week on "read-only" /usr mounts.
Setting the shell to /bin/false does not change the security character of
the system.
You'd have to be root to run something as user "bin", and if you're root,
you can change "bin"'s shell.
--Joe
* A more important consideration is the location of "bin"'s $HOME.
Reply to: