Is there any progress or any ongoing discussion about this set of merged bugs?
I got asked in a security audit again last month why all of our Debian systems have /bin/sh as the shell for accounts that should never allow logins. I realize that they're disabled in /etc/shadow, but depending on one's PAM configuration that may or may not be sufficiently effective. This can be an annoying issue at sites that use an enterprise-wide authentication system, such as Kerberos, since all of the random users created by the base passwd file on various different platforms may not be reserved from use as Kerberos principals. In combination with a change to the minimum_uid setting in libpam-krb5 (because one has legacy local UIDs in the reserved space, for instance), it can be possible to enable shell logins to these accounts without meaning to. I realize that the security implications here are obscure and only happen in combination with other factors, but there's really no reason for all of these accounts to have /bin/sh shells by default. The number of cases when one really wants to su to that account to check something is very small, and there are various other ways of doing that even if they have nologin or /bin/false or something similar as a shell. Could we please change the shells of all of the following users to /usr/sbin/nologin? daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh Other distributions have done this and it's generally considered (by auditors, for example) as an industry best practice and a variance if it's not done. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
