Control: tags -1 + moreinfo Hi Dmitry et al,
On Tue, Mar 12, 2019 at 05:45:08PM +0100, Bálint Réczey wrote: > Dmitry Bogatov <kact...@debian.org> ezt írta (időpont: 2019. márc. > 10., V, 20:13): > > [2017-01-21 20:54] Balint Reczey <bal...@balintreczey.hu> > > > On Sat, 27 Sep 2014 21:14:46 -0500 Troy Benjegerdes <ho...@hozed.org> > > > wrote: > > > > So can we have a prerm script for bash that sets the root > > > > shell back to /bin/sh, or at least asks the admin if they want > > > > zsh or tcsh, and warns about any other users? > > > > > > > > Any of this stuff of trying to have login figure out the > > > > right shell seems like a new remote exploit in the making. > > > > > > It is too late for making changes related to this bug in Stretch. :-( > > > In the next cycle we will evaluate switching to login implementatiln in > > > util-linux per #833256. This bug may be solved by the switch or later in > > > util-linux. > > > > Hi! What is the current state of bug? There was fine (IMO) proposal, > > Only su moved to util-linux due to lack of time. :-( > > > > > So can we have a prerm script for bash that sets the root > > shell back to /bin/sh, or at least asks the admin if they want > > zsh or tcsh, and warns about any other users? > > > > but as bash=5.0-2 it did not make its way. What is missing? Should I > > submit patch, implementing this proposal? > > I think submitting the patch against bash makes sense, but the timing > is unfortunate again, since the full freeze is about to start. is there an open bug against bash for this? > It bash gets patched after the release we can make it happen for Buster+1. Is there anything to be done in src:shadow for this at all? I understand it was agreed to not patch shadow with a fallback for an absent shell. Then, all that is to be done lies with bash? Thanks, Chris
