Ben Hutchings writes ("Re: Moving bash from essential/required to important?"):
> This appears to open up any accounts that have been deliberately
> disabled by setting their shell to a nonexistent path.  I know that's a
> dumb way to disable an account, but that doesn't make this any less of a
> security hole.

Quite.

> How about checking for the configured shell in /etc/shells before
> enabling the fallback?

I don't think that's sufficient either.  I think this is just a bad
idea.

It might be OK if it were limited to some specified list of
nonexistent shells.

Ian.



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to