Bob McGowan wrote:
Felipe Rocha wrote:Hello,I would like to know which is the impact on changing the value of the default bash '/bin/sh' of the system accounts.If it doesn't have problem, which option ('/bin/false', '/usr/sbin/nologin' or '/dev/null') best fit on this situation?Here you have a list of accounts from '/etc/passwd' that I would like to change:daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh fetchmail:x:104:65534::/var/lib/fetchmail:/bin/sh Thanks, Felipe RochaYou will not be able to do a 'switch user' to those accounts. That is, even as root, an 'su daemon' will fail, since the named shell would simply exit.This could be a big problem, depending on how the system handles running startup scripts (I haven't looked to see exactly how Debian handles it).Many systems will use 'su XXX' in rc scripts, where XXX is one of the 'system' names, to start programs related to that system 'service'.For example, an 'su mail' might be done before starting 'sendmail' (or other MTA), so it does not run with root privilege. This reduces the impact of security problems to things owned by 'mail', rather than opening the whole system up to the exploiter.Bob
After checking /etc/init.d/*, I found that on my etch system, only one file appears to have an 'su ...' in it, so my previous comments don't look like they are too important for a Debian startup.
Still, I'd be awfully careful before trying to change them. Perhaps a test install, in a 'chroot' environment or under an x86 emulator would be a good thing to use, to test for possible impacts in basic functions.
Bob
smime.p7s
Description: S/MIME Cryptographic Signature
