Re: Why do system users have valid shells
On Wed, 22 Oct 2003 19:27, Dariush Pietrzak wrote:
> > 'su -s /bin/bash -c "cmd" user '
> >
> > sounds like a very bs argument
>
> Do you understand the term 'breakage' ?
Do you understand the term "testing"?
> How about the idea that changing something in the system may force to you
> to rewrite parts of code?
Some of us have run fairly complete Linux machines for years with most of
those accounts set to /bin/bash for their shell without any problems. I
stopped doing that for two reasons, one is that upgrades of base-passwd
whinged at me all the time, and the other is that I have little need for such
measures now that I'm running SE Linux on all important machines.
As most people who are interested in secure systems are not yet running SE
Linux I think that there are some good benefits to be achieved by making the
shells of those accounts be /bin/bash by default.
As some people (such as myself) have run systems in such a manner for years
without breakage I am quite confident that we can get these things right.
We can start with "bin", "daemon", "sys", and "sync" which are the least
likely accounts to need a login shell. After those changes have been tested
to everyone's satisfaction we can then move on to others.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
Reply to: