Russell Coker said: > The idea of giving non-login accounts a shell of /bin/false is hardly > new.
Out of curiosity, what security benefit does a shell of /bin/false grant, that say, an encrypted password of "NOLOGIN" (or equivalently "*") does not grant? In what circumstances would a process be started using the shell field of /etc/passwd without checking the password in either /etc/password and/or /etc/shadow? How many of those circumstances rely on having UID0 access to set userids? (and thus write access to /etc/passwd and/or the chsh command) This is very similar to the discussion last week on "read-only" /usr mounts. Setting the shell to /bin/false does not change the security character of the system. You'd have to be root to run something as user "bin", and if you're root, you can change "bin"'s shell. --Joe * A more important consideration is the location of "bin"'s $HOME. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
