Re: User?s and Shells

From: Glynn Clements (
Date: 12/23/02

  • Next message: Jim Clarke: "re: quotas on Redhat 7.3 problem"
    From: Glynn Clements <>
    Date: Mon, 23 Dec 2002 09:47:43 +0000
    To: "''" <>

    OTERO Hernan Gustavo EDS wrote:

    > Looking in the /etc/passwd in my RH 8.0 instalation, the users
    > news:x:9:13:news:/etc/news:
    > rpm:x:37:37::/var/lib/rpm:/bin/bash
    > has shell. Why this users need shell?

    It *might* be because the "rpm" account is used to run some program
    which either:

    a) actually needs to know which is the preferred shell, or:

    b) doesn't actually need to know this information in order to perform
    the tasks for which it is used by the "rpm" account, but insists on
    having it anyway (e.g. because it sometimes does need it and the
    possibility of it being unavailable wasn't considered).

    This is just a guess; but it's the most obvious possibility (i.e. some
    program seems to insist upon the RPM account's shell being valid, so
    RH just decided to keep it happy).

    "Zow" Terry Brugger wrote:

    > Humm. . . On my Mandrake 9.0 box, the rpm user's shell is set to /bin/false ,
    > so I would suspect that you can probably safely change it to that.

    Even this isn't necessarily safe; by the time that the "shell" gets to
    run, an attacker may have created a hostile environment for it. There
    have been actual security vulnerabilities arising from using an unsafe
    /bin/false program as a login shell; IIRC, it was a one-line shell
    script ("exit 1"), but a bug in the interpreter allowed an invalid
    user who had been dumped into the "/bin/false" script to interrupt the
    script and get an interactive shell.

    Adam H. Pendleton wrote:

    > >I'm wondering why I would want that - until now nobody could give me a
    > >good argument although everybody learns to remove the shells :-(
    > >
    > >* If I give my users a disabled password, they cannotđ login via passwd
    > > based ssh/ftp/pop3 etc.
    > True enough. However, there are lots of situations where you want a user
    > to be able to login via FTP, but not have shell access. In this case,
    > "shells" such as /bin/nologin allow the shell program to return "TRUE",
    > thus allowing a FTP login, but not shell access through SSH,etc.

    However, note that some services don't care whether or not you have a
    valid shell (XDM doesn't care, IIRC). To be safe, you need to analyse
    each potential login mechanism[1] individually; exactly what
    constitutes a "valid" user for each mechanism?

    [1] I.e. any root-owned daemon or setuid-root program which changes
    its ID to an arbitrary user.

    Glynn Clements <>

    Relevant Pages

    • Re: Synching volumes on logout
      ... > login script is obviously being run and doing a knoppix desktop setup of some ... There must also be some way of a logout script as well. ... You do not say which shell you are using. ... If you are using bash, ...
    • Re: [kde] KDE menus (Lancelot, Kmenu, Krunner) not respecting PATH?
      ... because an Xsession is not a bash login. ... doesn't have to be a shell script) so it should not read your .bash_profile. ...
    • Re: consent to monitoring banner for ssh
      ... Your approach to set the users' shell to a script seem better ... You don't need set the everyone's login shell, ... everyone's login shell to a locally-written perl script. ...
    • Re: Shells
      ... Is there some auto script one could run to get rid of these -sh ... You may need to amend the user's login ... can change the login shell from Bourne to Korn, ... (they would receive SIGHUP and die). ...
    • Re: Restrict login account to SU access only???
      ... >run cron jobs but not login. ... like you have account1 and account2 that you like to su only. ... and put that script to those users shell in passwd file that you like ...