On Thu, Jan 12, 2012 at 5:11 PM, Chris Davies <chris-use...@roaima.co.uk> wrote:
> Poison Bit <poison...@gmail.com> wrote:
>> Why filter to those in /etc/shells ? I mean... the filter should be
>> applied by the system :)
>
> Mainly because it's a convenient list of "real" shells, and some of the
> remote service applications require a shell to be in that list. FTP is
> one such that springs to mind. As a counter example, /bin/false is a
> possible shell but it doesn't provide a particularly useful environment
> for the user. You could change the scriptlet to check for the 7th column
> being either empty or an executable file if you preferred.
Thanks, so my example should be more like:
getent passwd | awk -F: '!/bin\/false/{print $1" "$7}'
If there is a single thread doing it, there is not race condition on
reading valid shells and then parsing a list of users.
>> But neither of both codes take in mind if there is sudo in the system,
>> and what is gained in its config.
>
> I don't recall the OP mentioning access via sudo. (BICBW.)
Indeed, neither FTP, it was about:
"why most of the system users have valid shells by default ?
>> Also, neither of both codes think about ForceCommand in ssh... So I
>> maybe listed as /bin/bash, but I me be able only of run /usr/bin/cal
>> once as my shell and get kicked.
>
> ForceCommand requires an interactive shell-like login on the target,
> so I don't believe that's relevant here.
My point was that the user with /bin/bash in such parsing, can still
have a ForceCommand /bin/false in sshd_config, but indeed this is not
relevant on "why so much system users have a valid shell".
So returning to topic... I've no idea on "why", my system just references this:
zmore /usr/share/doc/base-passwd/users-and-groups.txt.gz
Greets
--
IƱigo
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
http://lists.debian.org/cakdtd8sgeycrsfpksc9dk-ppycqy_t1rqgx5xsa5xjwxwzh...@mail.gmail.com
