RE: Preventing logins /bin/false ?

To: "'Debian Users'" <debian-user@lists.debian.org>
Subject: RE: Preventing logins /bin/false ?
From: "Ian Perry" <iperry@inertia.com.au>
Date: Mon, 20 Aug 2001 16:45:24 +1000
Message-id: <[🔎] 000001c12943$b130d640$127509d2@inertia.com.au>
In-reply-to: <[🔎] 20010817151752.E3476@doorstop.net>

> From: Vineet Kumar [mailto:debian-user@virtual.doorstop.net]
> Sent: Saturday, August 18, 2001 8:18 AM
>
> * Ian Perry (iperry@inertia.com.au) [010816 20:11]:
> > Hi,
> >
> > Quick question.
> > I have been using /dev/null to prevent shell logins (yet
> still leave pop3
> > etc running) as follows:
> > username:x:1000:1000:Mr User,,,:/home/homedir:/dev/null
> >
> > I noticed that the shell can also be put as /bin/false as in ftp
> >
> > I prefer /dev/null as the user is instantaneously
> disconnected without any
> > messages.
>
> Umm ... how does that make it preferable to /bin/false, which
> does (from
> the user's perspective) exactly the same?  Note: it has nothing to do
> with ftp, except that ftp users are commonly assigned this shell to

I realise this.

> prevent them from logging in to a shell. I think /bin/false is a more
> common approach, as it is an actual executable binary. Somehow that
> makes it make more sense to call exec() on. So really, what it does is
> actually run, failing, rather than failing to run (as a properly
> permissioned /dev/null would do).
>
> The difference seems pedantic, and it should make no practical
> difference.
>

I agree that it makes no practical difference.
If I log in with /bin/false I get...


Linux sydney 2.0.36 #1 Thu Sep 2 09:28:09 EST 1999 i686 unknown

Copyright (C) 1993-1999 Software in the Public Interest, and others

Most of the programs included with the Debian GNU/Linux system are
freely redistributable; the exact distribution terms for each program
are described in the individual files in /usr/doc/*/copyright

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Aug 20 16:50:17 on ttyp2 from IP.
No mail.


With /dev/null I get nothing, not even a message.

I would rather give people as little information about the system as
possible.  There is also a risk (however slight) that /bin/false could be
replaced with a bash program.  I don't believe that this could be done with
/dev/null (or could it ?)

BTW, 2.0.36 is incorrect, I just have not been bothered to fix it.

Ian

Reply to:

Follow-Ups:
- RE: Preventing logins /bin/false ?
  - From: Martin Fluch <fluch@rock.helsinki.fi>

References:
- Re: Preventing logins /bin/false ?
  - From: Vineet Kumar <debian-user@virtual.doorstop.net>

Prev by Date: Re: Create install-CD from /var/cache/apt?
Next by Date: Re: HDD S.M.A.R.T. Capabilities
Previous by thread: Re: Preventing logins /bin/false ?
Next by thread: RE: Preventing logins /bin/false ?
Index(es):
- Date
- Thread