on Tue, May 28, 2002, Petro (petro@auctionwatch.com) seperated the wheat
from the chaff, and gave us the following chaff...:
> On Sat, May 25, 2002 at 12:32:02AM -0700, Karsten M. Self wrote:
> > The point was that the answer to your question ("Is this the first...")
> > is readily available from the usual place. Your assignment is to read
> > the earlier posts and either:
>
> There are over 100 links, many of them redundant, with the link you
> provided.
<...chaff...>
> > - Formulate a previously unaddressed reason root should have a
> > statically linked shell, rather than pollute the list with largely
> > irrelevent dialog.
>
> There is no reason to "formulate a previously unaddressed reason",
<...chaff...>
> > - Understand why the current alternative(s) are sufficient.
> They aren't. They are close, and can be made proper with a little
<...chaff...>
> > - Summarize findings to list and quietly exit the topic.
>
> Summary: Sash should be installed by default in /sbin/sash and as
> default should be the root users shell. It adds about 610k to a
> default install and has little or no downside in a properly set up
> environment.
Oh. Nearly salience.
Three line digression: I'm not opposed to hearing cogent arguments.
You've not presented any. You've whined. You're wasting my and the
lists time. Stop it. Get to the point.
OK, so you've presented a conclusion without substantiation. How about
a three minute lesson on why root's shell has been historically
statically linked:
The reason root's default shell (/sbin/sh) is statically linked is
historical. Back when 127MB was considered a large disk /usr (and
the libraries under /usr/lib) had to be mounted from a second disk
or NFS server. When a server boots into single-user mode it will
not mount the /usr partition breaking any dynamically linked shell.
The solution to this is simple: don't partition /usr. Since the
advent of larger hard drives there has not been a good reason to
partition /usr. There is also substantial risk associated with
partitioning the /usr filesystem.
http://www.roble.com/docs/sol_root_shell.html
This document goes on to discuss a number of myths about the root shell.
If you have specific countarguments, then make them.
There might be a number of reasons to advocate a particular root shell.
You haven't made them:
- Security.
- Recoverability / stability.
- Tradition.
- Standards / compliance.
- Site preferences / standards.
- Personal preference.
The first four seem to offer weak support at best for your position.
For a given site with multiple admins, a standard for root's shell among
the several admins is a Good Thing, as it keeps different admins from
clobbering one another (or forces them to use more substantial means to
do same). There's no need for that shell to be a statically linked one,
however.
I'd argue that personal preference and comfort have a lot to say for the
discussion. I *don't* run my systems as root. I *do* almost always
have a root shell available for rootly tasks. The shell I use (bash) is
powerful, script-sane, one I'm comfortable with, and (bonus) standard on
GNU/Linux. Why force me into too-tight gloves when I'm doing tasks
where polished execution matters?
The argument that bash won't run if you can only mount your root
partition (assuming this excludes /usr) won't hunt on Debian:
$ ldd /bin/bash
libncurses.so.5 => /lib/libncurses.so.5 (0x40020000)
libdl.so.2 => /lib/libdl.so.2 (0x4005e000)
libc.so.6 => /lib/libc.so.6 (0x40062000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
The valid arguments for a static root shell are system recovery and for
working on a system whose integrity is compromised. For the former, I'd
far prefer bootable rescue media (http://www.lnx-bbc.org/). For the
latter, a statically linked shell means you don't have to worry about
the integrity of system libs, but if your cracker's replaced the
system's copy of sash, you're still fscked. Better: use a known good
copy from inert media (a write-protected floppy, or CDROM), if you
absolutely *must* work on the system. Far better to shut down a
compromised box immediately, do a clean install, and clean of any uglies
lying around elsewhere.
I keep sash installed on my systems. Mostly so that I can dig myself
out of a hole if I fsck up libs or suffer bad (but not utterly fatal)
disk problems. I'd recommend it as a good fallback. As a default
shell, sash isn't acceptable as it's not POSIX compliant. It's useful
(and intended as same), but not standard.
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
TWikIWETHEY: Technology, free software, GNU/Linux, and a little bit
of everything else: http://twiki.iwethey.org/twiki/bin/view/
Attachment:
pgpvauJwrEEab.pgp
Description: PGP signature