Re: User?s and Shells

From: Glynn Clements (glynn.clements@virgin.net)
Date: 12/23/02

  • Next message: Jim Clarke: "re: quotas on Redhat 7.3 problem"
    From: Glynn Clements <glynn.clements@virgin.net>
    Date: Mon, 23 Dec 2002 09:47:43 +0000
    To: "'focus-linux@securityfocus.com'" <focus-linux@securityfocus.com>
    
    

    OTERO Hernan Gustavo EDS wrote:

    > Looking in the /etc/passwd in my RH 8.0 instalation, the users
    >
    > news:x:9:13:news:/etc/news:
    > rpm:x:37:37::/var/lib/rpm:/bin/bash
    >
    > has shell. Why this users need shell?

    It *might* be because the "rpm" account is used to run some program
    which either:

    a) actually needs to know which is the preferred shell, or:

    b) doesn't actually need to know this information in order to perform
    the tasks for which it is used by the "rpm" account, but insists on
    having it anyway (e.g. because it sometimes does need it and the
    possibility of it being unavailable wasn't considered).

    This is just a guess; but it's the most obvious possibility (i.e. some
    program seems to insist upon the RPM account's shell being valid, so
    RH just decided to keep it happy).

    "Zow" Terry Brugger wrote:

    > Humm. . . On my Mandrake 9.0 box, the rpm user's shell is set to /bin/false ,
    > so I would suspect that you can probably safely change it to that.

    Even this isn't necessarily safe; by the time that the "shell" gets to
    run, an attacker may have created a hostile environment for it. There
    have been actual security vulnerabilities arising from using an unsafe
    /bin/false program as a login shell; IIRC, it was a one-line shell
    script ("exit 1"), but a bug in the interpreter allowed an invalid
    user who had been dumped into the "/bin/false" script to interrupt the
    script and get an interactive shell.

    Adam H. Pendleton wrote:

    > >I'm wondering why I would want that - until now nobody could give me a
    > >good argument although everybody learns to remove the shells :-(
    > >
    > >* If I give my users a disabled password, they cannotđ login via passwd
    > > based ssh/ftp/pop3 etc.
    >
    > True enough. However, there are lots of situations where you want a user
    > to be able to login via FTP, but not have shell access. In this case,
    > "shells" such as /bin/nologin allow the shell program to return "TRUE",
    > thus allowing a FTP login, but not shell access through SSH,etc.

    However, note that some services don't care whether or not you have a
    valid shell (XDM doesn't care, IIRC). To be safe, you need to analyse
    each potential login mechanism[1] individually; exactly what
    constitutes a "valid" user for each mechanism?

    [1] I.e. any root-owned daemon or setuid-root program which changes
    its ID to an arbitrary user.

    -- 
    Glynn Clements <glynn.clements@virgin.net>