On Wed, 22 Oct 2003 18:50, Tobias Reckhard wrote: > > also su user -c command won't work, you'll need to use sudo or suid bit, > > and that's a bit messy. > > This is true, when I need to su to this user's account (for > troubleshooting, usually), I need to 'chsh -s /bin/bash mirror' first > (and change it back later). However, I only need to do this very seldom. > And I haven't ever needed to su to daemon, bin, sys, games, man, lp, > mail, news, uucp, proxy, postgres, www-data, backup, operator, list, > irc, gnats, nobody, amavis or cyrus. That's the list of user accounts > with shell /bin/sh on my Debian box.
Also I think it should be noted that even if there is some unusual administrative action that requires having a valid shell, the administrator could always change the shell, perform the action, then change it back. Having a valid shell all the time because it might be needed at some time is not a good idea. I recall that there was a bug in pam in unstable at one time that would allow logging in to those accounts. Setting the shells to /bin/false would have prevented that bug from being a problem. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
