Bug#410221: shells.5, noshell, and su
On Wed, Jun 20, 2007 at 07:52:30AM +0200, Michael Kerrisk wrote: > So, now I'm starting to get clearer. Are you saying that su will reject a > user if there login shell is not one of those listed in /etc/shells? No, Su will not reject the user, but will not allow a user 'switching' to it, to setup an alternate shell (through --shell) if the users' shell is *not* listed in /etc/shells. So, if you have a disabled user (shell is '/usr/sbin/nologin' and is not listed in /etc/shells), a local user cannot 'su' to it as any commands will be executed using that shell and the local user cannot force to use a different one. Hope the explanations helps, Javier signature.asc Description: Digital signature
Bug#410221: shells.5, noshell, and su
Justin Pryzby wrote: > On Tue, Jun 19, 2007 at 10:47:05PM +0200, Michael Kerrisk wrote: >> Justin Pryzby wrote: >>> On Tue, Jun 19, 2007 at 09:51:32PM +0200, Michael Kerrisk wrote: > > [.. See bug #410221 ..] > Justin, Are you suggesting something needs to change in shells(5)? I can't work out what it is from a short read of your mail. >>> Suggesting but not necessarily recommending; linux su must be more >>> canonical than some unnamed ftpds. >> Hi Justin, >> >> Make your suggestion as a patch please... > > --- - 2007-06-19 19:09:45.068002000 -0400 > +++ /tmp/shells.5 2007-06-19 19:09:38.0 -0400 > @@ -23,20 +23,25 @@ > .\" Modified Sat Jul 24 17:11:07 1993 by Rik Faith ([EMAIL PROTECTED]) > .\" Modified Sun Nov 21 10:49:38 1993 by Michael Haardt > .\" Modified Sun Feb 26 15:09:15 1995 by Rik Faith ([EMAIL PROTECTED]) > -.TH SHELLS 5 1993-11-21 "" "Linux Programmer's Manual" > +.\" Modified Tue Jun 19 22:57:29 2007 by Justin Pryzby <[EMAIL PROTECTED]> > +.TH SHELLS 5 2007-06-19 "" "Linux Programmer's Manual" > .SH NAME > shells \- pathnames of valid login shells > .SH DESCRIPTION > .I /etc/shells > -is a text file which contains the full pathnames of valid login shells. > +is a text file which contains the absolute pathnames of valid login > +shells. > This file is consulted by > .BR chsh (1) > -and available to be queried by other programs. > -.PP > -Be aware that there are programs which consult this file to > -find out if a user is a normal user. > -E.g.: ftp daemons traditionally > +and is available to be queried by other programs. > +.SH NOTES > +Be aware that some programs consult this file to test if a user is a > +normal user or a disabled "system" user. Linux So, now I'm starting to get clearer. Are you saying that su will reject a user if there login shell is not one of those listed in /etc/shells? Cheers, Michael > +.B su > +considers shells not listed here to be "restricted", and some ftp daemons > disallow access to users with shells not included in this file. > +.SH FILES > +.I /etc/shells > .SH EXAMPLE > .I /etc/shells > may contain the following paths: > @@ -46,8 +51,6 @@ > .br > .I /bin/csh > .RE > -.SH FILES > -.I /etc/shells > .SH "SEE ALSO" > .BR chsh (1), > .BR getusershell (3) > > > > > --- - 2007-06-19 19:09:42.903722000 -0400 > +++ /tmp/shells.5 2007-06-19 19:09:38.0 -0400 > @@ -23,20 +23,25 @@ > .\" Modified Sat Jul 24 17:11:07 1993 by Rik Faith ([EMAIL PROTECTED]) > .\" Modified Sun Nov 21 10:49:38 1993 by Michael Haardt > .\" Modified Sun Feb 26 15:09:15 1995 by Rik Faith ([EMAIL PROTECTED]) > -.TH SHELLS 5 1993-11-21 "" "Linux Programmer's Manual" > +.\" Modified Tue Jun 19 22:57:29 2007 by Justin Pryzby <[EMAIL PROTECTED]> > +.TH SHELLS 5 2007-06-19 "" "Linux Programmer's Manual" > .SH NAME > shells \- pathnames of valid login shells > .SH DESCRIPTION > .I /etc/shells > -is a text file which contains the full pathnames of valid login shells. > +is a text file which contains the absolute pathnames of valid login > +shells. > This file is consulted by > .BR chsh (1) > -and available to be queried by other programs. > -.PP > -Be aware that there are programs which consult this file to > -find out if a user is a normal user. > -E.g.: ftp daemons traditionally > +and is available to be queried by other programs. > +.SH NOTES > +Be aware that some programs consult this file to test if a user is a > +normal user or a disabled "system" user. Linux > +.B su > +considers shells not listed here to be "restricted", and some ftp daemons > disallow access to users with shells not included in this file. > +.SH FILES > +.I /etc/shells > .SH EXAMPLE > .I /etc/shells > may contain the following paths: > @@ -46,8 +51,6 @@ > .br > .I /bin/csh > .RE > -.SH FILES > -.I /etc/shells > .SH "SEE ALSO" > .BR chsh (1), > .BR getusershell (3) -- Michael Kerrisk maintainer of Linux man pages Sections 2, 3, 4, 5, and 7 Want to help with man page maintenance? Grab the latest tarball at http://www.kernel.org/pub/linux/docs/manpages/ read the HOWTOHELP file and grep the source files for 'FIXME'. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#410221: shells.5, noshell, and su
Justin Pryzby wrote: > On Tue, Jun 19, 2007 at 09:51:32PM +0200, Michael Kerrisk wrote: >> >> Justin Pryzby wrote: >>> clone 410221 -1 >>> retitle -1 noshell: strongly suggest deregistering from etc/shells, not >>> registering >>> severity -1 important >>> tag -1 security >>> >>> Hi Michael and Javier and security@, >>> >>> Regarding shells(5) manpage, I thought you might be interested that >>> /bin/su also (in addition to some ftpd) defines "restricted shell" as >>> "shells not in etc/shells". This is perhaps more relevant since most >>> people know to avoid ftpd but su is a core package. Also people might >>> go to some effort to use eg. /usr/sbin/nologin or /sbin/noshell, >>> follow the best-practice instructions, only to have su use this >>> information to decide that it's perfectly reasonable for some obscure >>> thing like gnats to su root... >> Justin, >> >> Are you suggesting something needs to change in shells(5)? I can't work >> out what it is from a short read of your mail. > Suggesting but not necessarily recommending; linux su must be more > canonical than some unnamed ftpds. Hi Justin, Make your suggestion as a patch please... Cheers, Michael -- Michael Kerrisk maintainer of Linux man pages Sections 2, 3, 4, 5, and 7 Want to help with man page maintenance? Grab the latest tarball at http://www.kernel.org/pub/linux/docs/manpages/ read the HOWTOHELP file and grep the source files for 'FIXME'. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#410221: shells.5, noshell, and su
On Tue, Jun 19, 2007 at 09:51:32PM +0200, Michael Kerrisk wrote: > > > Justin Pryzby wrote: > > clone 410221 -1 > > retitle -1 noshell: strongly suggest deregistering from etc/shells, not > > registering > > severity -1 important > > tag -1 security > > > > Hi Michael and Javier and security@, > > > > Regarding shells(5) manpage, I thought you might be interested that > > /bin/su also (in addition to some ftpd) defines "restricted shell" as > > "shells not in etc/shells". This is perhaps more relevant since most > > people know to avoid ftpd but su is a core package. Also people might > > go to some effort to use eg. /usr/sbin/nologin or /sbin/noshell, > > follow the best-practice instructions, only to have su use this > > information to decide that it's perfectly reasonable for some obscure > > thing like gnats to su root... > > Justin, > > Are you suggesting something needs to change in shells(5)? I can't work > out what it is from a short read of your mail. Suggesting but not necessarily recommending; linux su must be more canonical than some unnamed ftpds. Justin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#410221: shells.5, noshell, and su
Justin Pryzby wrote: > clone 410221 -1 > retitle -1 noshell: strongly suggest deregistering from etc/shells, not > registering > severity -1 important > tag -1 security > > Hi Michael and Javier and security@, > > Regarding shells(5) manpage, I thought you might be interested that > /bin/su also (in addition to some ftpd) defines "restricted shell" as > "shells not in etc/shells". This is perhaps more relevant since most > people know to avoid ftpd but su is a core package. Also people might > go to some effort to use eg. /usr/sbin/nologin or /sbin/noshell, > follow the best-practice instructions, only to have su use this > information to decide that it's perfectly reasonable for some obscure > thing like gnats to su root... Justin, Are you suggesting something needs to change in shells(5)? I can't work out what it is from a short read of your mail. Cheers, Michael -- Michael Kerrisk maintainer of Linux man pages Sections 2, 3, 4, 5, and 7 Want to help with man page maintenance? Grab the latest tarball at http://www.kernel.org/pub/linux/docs/manpages/ read the HOWTOHELP file and grep the source files for 'FIXME'. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#410221: shells.5, noshell, and su
On Tue, Jun 19, 2007 at 10:56:05AM -0400, Justin Pryzby wrote: > Regarding shells(5) manpage, I thought you might be interested that > /bin/su also (in addition to some ftpd) defines "restricted shell" as > "shells not in etc/shells". This is perhaps more relevant since most > people know to avoid ftpd but su is a core package. Also people might > go to some effort to use eg. /usr/sbin/nologin or /sbin/noshell, > follow the best-practice instructions, only to have su use this > information to decide that it's perfectly reasonable for some obscure > thing like gnats to su root... Well, the point is that some applications (login/telnet/SSH) will not allow login of a user that has an invalid shell, so you will not get a warning if a user logs into those accounts (with the proper password) if you don't add the shell to /etc/shells I can see the problem with su, it's actually the same problem if OpenSSH's scp/sftp is used instead of login in. That being said, I will probably drop support for noshell. But might fix the README.Debian for those users that use it before it gets removed from the archive. Regards Javier signature.asc Description: Digital signature
Bug#410221: shells.5, noshell, and su
clone 410221 -1 retitle -1 noshell: strongly suggest deregistering from etc/shells, not registering severity -1 important tag -1 security Hi Michael and Javier and security@, Regarding shells(5) manpage, I thought you might be interested that /bin/su also (in addition to some ftpd) defines "restricted shell" as "shells not in etc/shells". This is perhaps more relevant since most people know to avoid ftpd but su is a core package. Also people might go to some effort to use eg. /usr/sbin/nologin or /sbin/noshell, follow the best-practice instructions, only to have su use this information to decide that it's perfectly reasonable for some obscure thing like gnats to su root... Justin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
