Re: User?s and Shells

From: Zow (zow@llnl.gov)
Date: 12/27/02


To: Glynn Clements <glynn.clements@virgin.net>
Date: Fri, 27 Dec 2002 08:03:21 -0800
From: "Zow" Terry Brugger <zow@llnl.gov>


> > Humm. . . On my Mandrake 9.0 box, the rpm user's shell is set to
> > /bin/false ,
> > so I would suspect that you can probably safely change it to that.
>
> Even this isn't necessarily safe; by the time that the "shell" gets to

I'm sorry -- I wasn't precise enough in my choice of words. By "safely", I
meant with respect to the intended functionality of the system, not
necessarily the security of the system. And you're absolutely right: having
/bin/false there doesn't provide any guarantee of security. It will, however,
aid in protecting against using the account with a default password that was
unintentionally left on the system, or a brute-force attack against that
account. Problems with /bin/false aside, if an attacker can run arbitrary
code as a given user, it doesn't matter what shell (if any) that user is
assigned in /etc/passwd: the attacker can just exec whatever shell they want.

Terry

#include <disclaimer>