Hi Segher, On 17-07-18, Segher Boessenkool wrote: > Hi! > > On Tue, Jul 17, 2018 at 12:44:09PM +0200, Baptiste Jonglez via cfarm-users > wrote: > > As an experiment, we have just added PAM configuration to gcc13 and gcc14 > > so that chsh does not ask for a password. > > Cool. Thanks for doing this. > > > If you know about any security issues that could arise from this setting, > > please speak up! If everything looks fine, we will deploy this setting to > > all farm machines. > > It looks fine to me wrt security.
Yeah, PAM is supposed to be secure, but I'm just a bit concerned because this setup basically allows changing /etc/passwd without root privileges. > Two problems with it, probably not very serious: > > 1) Not all machines use PAM; I must admit I haven't tested on the more exotic OS, but it should work at least on all the Debian & Ubuntu machines (that's 80% of the machines) > 2) Will we now get _more_ requests for help? If someone messes up their > login shell setting, they cannot fix it themselves. chsh only allows shells listed in /etc/shells :) $ chsh -s /bin/cat chsh: /bin/cat is an invalid shell $ chsh -s /bin/zsh $ So, it should prevent most mistakes. Baptiste
signature.asc
Description: PGP signature
_______________________________________________ cfarm-users mailing list cfarm-users@lists.tetaneutral.net https://lists.tetaneutral.net/listinfo/cfarm-users
