Security hole in Debian's /bin/false?
Hello everyone,
I am just surfing Samba's Home Page and found this in a FAQ:
----
4.1 How do I set accounts for Samba users
Samba users need Unix accounts on a Samba server. These accounts can
be provided by the usual /etc/passwd mechanism or may be distributed with
NIS ("yellow pages"). The server uses them to get the information about
uid number and groups to which users belong. These accounts can be
pretty minimal in the sense that Samba will be quite happy with an
entry which has '*' in a password field and /bin/false for a
shell (`real' Unix logins with this type of account will be impossible,
obviously enough). Still one should be careful with this advice
if you have real security concerns. On many machines (very popular on
Linux systems) /bin/false is a shell script script. This may
provide a foothold to a determined attacker. It is advisable to replace
it with a "true" compiled program (linked statically if you use
shared libraries).
----
I do not know much about security but Debian's /bin/false is also a
shell script. Are we at risk? Shouldn't /bin/false be changed to a
compiled version?
E.-
--
Eloy A. Paris
Information Technology Department
Rockwell Automation de Venezuela
Telephone: +58-2-9432311 Fax: +58-2-9430323
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: