On Mon, Jan 14, 2002 at 06:52:49AM -0500, Ivan R. wrote: > > to, I can see no reason why not giving a user, that has *no* password, > > a shell. > > if a user don t need a shell, > why should we give him one? Because a sysadmin could like to execute scripts under this uid via sudo as he thinks it's a security gain to not run every cronscript under root. (security in this case more in the sense "secure that this script does not 'rm -rf /' and beeing secure that he does not forgets a chown afterwards which could otherwise be necessary).
> but i thing a linux distribution like the debian > must be "coherent" : why www-data and mail have got a shell > and not mysql??? Well, um, I as the mysql maintainer should be able to tell it but mainly I guess because I was told (years ago) the same thing about "/bin/bash" in /etc/passwd is a securty problem. In the meantime, I'm didn't found a valid argument for this sentence but I can't change it easily because people could have used the account "mysql" for e.g. ftp user (for whatever reason) and if I would give this user a shell they would immediately and maybe without the admin realizing it be able to login via ssh. BTW, speaking of FTP servers, I would encourage everybody to use recent servers like e.g. proftpd which have their own passwd/group files and need the "system" accounts only to get the UID and ignore the systems shell and password so a www-data user could not login via ssh even if he had a valid ftp account and a valid shell in /etc/passwd. bye, -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
