Bernd Eckenfels said: > In article <[EMAIL PROTECTED]> > you wrote: >> Out of curiosity, what security benefit does a shell of /bin/false >> grant, that say, an encrypted password of "NOLOGIN" (or equivalently >> "*") does not grant? > > Two things, first it is more obvious from reading the password file > (and therefore also avoids someone sneakyly enable those accounts > (would you notice?))
Personally, yes, I would notice a change of the second passwd (shadow) field before I noticed a change at the end of a variable-length line of arbitrary text. Particularly if "bin:*NOLOGIN*:2:2:bin:/bin:/bin/sh" were replaced with "bin::2:2:bin:/bin:/bin/sh" or "bin:te1huuhMqQ5K2:2:2:bin:/bin:/bin/sh", I'd notice the difference. As opposed to the change of bin's shell: "bin:x:2:2:bin:/bin:/bin/false" "bin:x:2:2:bin:/bin:/bin/sh" > and secondly some other programs like ftp treat > accounts with shells which are in /etc/shells better than others. Those programs really should make sure the password is correct before granting user access to an account, no? > And again it is a matter of "not granting priveledges where not > needed". The /etc/passwd file does not control granting of priveledges[sic]. It contains a map of UID <-> username <-> Primary GID, a comment field used by various system utilities and to set some ulimit defaults), and defaults for certain variables, such as $HOME and $SHELL. See passwd(5). --Joe
