On Wed, Oct 22, 2003 at 09:45:24AM +0200, Tobias Reckhard wrote: > Hi > > We recently noticed that a stock woody install produces an /etc/passwd > in which most, if not all, system users have a valid shell entry of > /bin/sh. They're all unable to login due to having no valid password, > but best UNIX security practice typically involves giving accounts that > don't need to be able to login a shell of /bin/false or /bin/true. Other > distros (at least some of them) appear to follow suit. I have meant to ask this question for some time too. Specially since some distributions (such as RedHat) provide system users with a /bin/noshell shell. I'm not sure if this is the same shell as the one provided by Titan [1] but IMHO I believe it's a must to have a shell that logs the entry attempt to syslog (as opposed to what /bin/false or /bin/true do). So, anybody knows any issues (Debian specific or not) related to using /bin/noshell instead? Regards Javi PS: I guess, as for recommended practice, you mean CERT's guidelines: http://www.cert.org/security-improvement/implementations/i049.02.html which does suggest using Titan's noshell [1] Titan's noshell can be found at: http://www.fish.com/titan/src1/noshell.c
Attachment:
pgpf_WgxIAhPw.pgp
Description: PGP signature