On Tue, Jul 17, 2018 at 08:49:19PM +0200, Baptiste Jonglez via cfarm-users wrote: > On 17-07-18, Segher Boessenkool wrote: > > On Tue, Jul 17, 2018 at 12:44:09PM +0200, Baptiste Jonglez via cfarm-users > > wrote: > > > As an experiment, we have just added PAM configuration to gcc13 and gcc14 > > > so that chsh does not ask for a password. > > > > Cool. Thanks for doing this. > > > > > If you know about any security issues that could arise from this setting, > > > please speak up! If everything looks fine, we will deploy this setting to > > > all farm machines. > > > > It looks fine to me wrt security. > > Yeah, PAM is supposed to be secure, but I'm just a bit concerned because > this setup basically allows changing /etc/passwd without root privileges.
Just like passwd(1) you mean? :-) > > 2) Will we now get _more_ requests for help? If someone messes up their > > login shell setting, they cannot fix it themselves. > > chsh only allows shells listed in /etc/shells :) > > $ chsh -s /bin/cat > chsh: /bin/cat is an invalid shell > $ chsh -s /bin/zsh > $ > > So, it should prevent most mistakes. Oh of course. for some reason I thought anything would be allowed, like root can do; but you only don't need to authenticate, nothing else changes. So yeah looks fine :-) Segher _______________________________________________ cfarm-users mailing list cfarm-users@lists.tetaneutral.net https://lists.tetaneutral.net/listinfo/cfarm-users
