Re: User?s and Shells

OTERO Hernan Gustavo EDS wrote:

> Looking in the /etc/passwd in my RH 8.0 instalation, the users

It *might* be because the "rpm" account is used to run some program which either:

1. actually needs to know which is the preferred shell, or:
2. doesn't actually need to know this information in order to perform the tasks for which it is used by the "rpm" account, but insists on having it anyway (e.g. because it sometimes does need it and the possibility of it being unavailable wasn't considered).

This is just a guess; but it's the most obvious possibility (i.e. some program seems to insist upon the RPM account's shell being valid, so RH just decided to keep it happy).

"Zow" Terry Brugger wrote:

> Humm. . . On my Mandrake 9.0 box, the rpm user's shell is set to /bin/false ,

Even this isn't necessarily safe; by the time that the "shell" gets to run, an attacker may have created a hostile environment for it. There have been actual security vulnerabilities arising from using an unsafe /bin/false program as a login shell; IIRC, it was a one-line shell script ("exit 1"), but a bug in the interpreter allowed an invalid user who had been dumped into the "/bin/false" script to interrupt the script and get an interactive shell.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Adam H. Pendleton wrote:

> >I'm wondering why I would want that - until now nobody could give me a

However, note that some services don't care whether or not you have a valid shell (XDM doesn't care, IIRC). To be safe, you need to analyse each potential login mechanism[1] individually; exactly what constitutes a "valid" user for each mechanism?

[1] I.e. any root-owned daemon or setuid-root program which changes its ID to an arbitrary user.

-- 
Glynn Clements