-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Bill,
Am Mo den 18. Jun 2007 um 17:53 schrieb Bill Allombert: > It is not the case on Debian by default: > nobody:*:65534:65534:nobody:/nonexistent:/bin/sh That's true but it is not as save as I wanna have it on my systems. (All system users on my system have /bin/sh if no special reason give other.) > Furthermore the point of user nobody is to be able to run process > that have no file access permission outside 'other' (since no files are > owned by user or group nobody). If you preclude it from running > programs, then this user is useless. If nobody does not have a default > shell, every usage of 'su nobody' must hard-code a shell instead of > following /etc/passwd. This is generally a bad thing. Only root can 'su > nobody' anyway. That is incorrect. If you have to call something as nobody you know the shell where it has to run under. Also I never ever want a normal user to su to nobody at all! Moreover nobody has ever to run a interactive shell as user nobody! So there is no need for a shell for this user. It is only a security problem IF the user nobody has a shell and a server like i.e. the webserver has a security flaw when running code as user nobody the attacker has a shell for free (Sure with no home but there is other places where also nobody can write to)! So never give nobody a shell. By the way, also if I give him a shell, how can you be sure that calling /bin/sh from this shell is allowed? Or maybe it has other syntax to call such a shell. And it is not useless at all as every cron job can use su -s /bin/sh (or /bin/bash or /usr/bin/perl ... as you wish). This is also the case with /etc/cron.weekly/popularity-contest. You still select a shell explicit. Why not selecting it by "su -s /bin/sh" which is more clean and the safest way? > /etc/cron.weekly/popularity-contest is not the only script to use > 'su nobody' without -s. Uh, its the only one I know 'till now. But that only as side comment, popcon should be better as all other software of course. ;-) Best Regards Klaus - -- Klaus Ethgen http://www.ethgen.de/ pub 2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <[EMAIL PROTECTED]> Fingerprint: D7 67 71 C4 99 A6 D4 FE EA 40 30 57 3C 88 26 2B -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBRnbGjJ+OKpjRpO3lAQIUcQf/XpEf8CtQ8+Z/GlbLzLihzO2sazJm6imE FxE231o18dS1OxthxyMcFWEfrFdQgUHk6b8ic8Vd6LtCjzKr+dNywESpadx8b1nF 0SRpoyXZE+5HhanK0wB3YFJJ9SB6T94We3Y4Id7wPdyuk9W30jVAjujwCg0y6GEC uaFL1j86hKkoIV3LLOW//92dFjA+33HMrytumlK9G7eCfWGnqQmC7haa6sHjC+qX OabL/XWyV+BWc5lS8B+nE6bF/1UD499ZdeYFxtNIIYK17V6J4mJIUBzSTOtE7tZ6 ziy0Eb4pJheDZ9WxbpSSNVa+Ax1nsIcCd3pEw+KOtClSFuTTk1ioZw== =Ra4a -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
