[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: New to debian -- question about shells & unused accounts

-- On Jul 28, 10:33am, Hamish Moffatt wrote:
> Subject: Re: New to debian -- question about shells & unused accounts
> On Tue, Jul 28, 1998 at 01:33:29AM -0700, Chris Ulrich wrote:
> They all have "*" in the password field by default, which means that
> they can't login. Sometimes you do need to switch to them (with su),
> so then they need a shell; as root, you can su to any account without
> a password, even if it's locked. From memory postgresql requires you to
> do all database admin work from its special account, not root, so you'd
> su to root, then "su - postgres" again.
> Hamish
-- End of excerpt from Hamish Moffatt --

  Okay -- that's one account that needs a shell.  A user can get 
authenticated in one of at least three ways that I can think of:
1: login (including xdm and ftp) -> verified by password
2: file (ssh/rsh) -> verified by checking file in home directory
3: magic (kerberos) -> verified by asking someone else in a secure way

  Of these methods, only #1 actually looks at the second field
of the shadow or passwd file.  Because every dead account has it's
own home directory, there are many more ways to get a shell by
putting a .rhosts or .ssh/authorized key file into the account's
home directory (either through broken suid programs, misconfigured
programs, or NFS).  Since the majority of these accounts are not 
suppose to be used it seems like a needless exposure to have them
able to login at all.  Because they have a shell, it is possible
for an account to log onto the machine.

  I can think of only a very small class of programs that allow a
user to login with a useless shell but a valid password:
ftp (iff the useless shell is in /etc/shells)
xdm (iff xdm has not been configured to look in /etc/shells)

  Anyhow, my point is just that "no password" is not a certain way to
disable an account.  "No shell" is also not a secure way to disable
an account.  To make sure an account exists only to make files owned
by that UID look pretty, one needs to disable both.  To be completely
sure that even poorly configured debian machines remain as secure as
possible, placeholder accounts ought to have their shells and passwords
unusable unless there is a specific need otherwise.

 Chris Ulrich        cdulrich@ucdavis.edu        530 754 4355

Unsubscribe?  mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null

Reply to: