Re: Why do system users have valid shells
Bernd Eckenfels said:
> In article <[🔎] 1843.216.196.203.220.1066819179.squirrel@www.iegrec.org>
> you wrote:
>> Out of curiosity, what security benefit does a shell of /bin/false
>> grant, that say, an encrypted password of "NOLOGIN" (or equivalently
>> "*") does not grant?
>
> Two things, first it is more obvious from reading the password file
> (and therefore also avoids someone sneakyly enable those accounts
> (would you notice?))
Personally, yes, I would notice a change of the second passwd (shadow) field
before I noticed a change at the end of a variable-length line of arbitrary
text. Particularly if
"bin:*NOLOGIN*:2:2:bin:/bin:/bin/sh" were replaced with
"bin::2:2:bin:/bin:/bin/sh" or
"bin:te1huuhMqQ5K2:2:2:bin:/bin:/bin/sh", I'd notice the difference.
As opposed to the change of bin's shell:
"bin:x:2:2:bin:/bin:/bin/false"
"bin:x:2:2:bin:/bin:/bin/sh"
> and secondly some other programs like ftp treat
> accounts with shells which are in /etc/shells better than others.
Those programs really should make sure the password is correct before
granting user access to an account, no?
> And again it is a matter of "not granting priveledges where not
> needed".
The /etc/passwd file does not control granting of priveledges[sic]. It
contains a map of UID <-> username <-> Primary GID, a comment field used by
various system utilities and to set some ulimit defaults), and defaults for
certain variables, such as $HOME and $SHELL. See passwd(5).
--Joe
Reply to: