Felipe Rocha wrote:
Hello,I would like to know which is the impact on changing the value of the default bash '/bin/sh' of the system accounts.If it doesn't have problem, which option ('/bin/false', '/usr/sbin/nologin' or '/dev/null') best fit on this situation?Here you have a list of accounts from '/etc/passwd' that I would like to change:daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh fetchmail:x:104:65534::/var/lib/fetchmail:/bin/sh Thanks, Felipe Rocha
You will not be able to do a 'switch user' to those accounts. That is, even as root, an 'su daemon' will fail, since the named shell would simply exit.
This could be a big problem, depending on how the system handles running startup scripts (I haven't looked to see exactly how Debian handles it).
Many systems will use 'su XXX' in rc scripts, where XXX is one of the 'system' names, to start programs related to that system 'service'.
For example, an 'su mail' might be done before starting 'sendmail' (or other MTA), so it does not run with root privilege. This reduces the impact of security problems to things owned by 'mail', rather than opening the whole system up to the exploiter.
Bob
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature