Hi, this may be a dumb question, but I really wonder if there's a policy (which I obviously haven't found) about which system users should get a valid shell and which shouldn't.
I get tons of warnings like this when I run tiger(8): NEW: --WARN-- [pass014w] Login (bin) is disabled, but has a valid shell. NEW: --WARN-- [pass014w] Login (daemon) is disabled, but has a valid shell. NEW: --WARN-- [pass014w] Login (games) is disabled, but has a valid shell. NEW: --WARN-- [pass014w] Login (gnats) is disabled, but has a valid shell. NEW: --WARN-- [pass014w] Login (irc) is disabled, but has a valid shell. NEW: --WARN-- [pass014w] Login (lp) is disabled, but has a valid shell. NEW: --WARN-- [pass014w] Login (mail) is disabled, but has a valid shell. NEW: --WARN-- [pass014w] Login (man) is disabled, but has a valid shell. NEW: --WARN-- [pass014w] Login (news) is disabled, but has a valid shell. NEW: --WARN-- [pass014w] Login (operator) is disabled, but has a valid shell. NEW: --WARN-- [pass014w] Login (postgres) is disabled, but has a valid shell. NEW: --WARN-- [pass014w] Login (proxy) is disabled, but has a valid shell. NEW: --WARN-- [pass014w] Login (sys) is disabled, but has a valid shell. NEW: --WARN-- [pass014w] Login (uucp) is disabled, but has a valid shell. NEW: --WARN-- [pass014w] Login (www-data) is disabled, but has a valid shell. [...] Security-wise it's probably a good idea to give as few users as possible a valid shell, all others should get /bin/false, right? Should I CC debian-security? Uwe. -- Uwe Hermann http://www.hermann-uwe.de http://www.it-services-uh.de | http://www.crazy-hacks.org http://www.holsham-traders.de | http://www.unmaintained-free-software.org
signature.asc
Description: Digital signature
