On Wed, May 03, 2006 at 02:45:56AM +0200, Uwe Hermann wrote: > Security-wise it's probably a good idea to give as few users as possible > a valid shell, all others should get /bin/false, right?
AFAIK, this is already being done in Red Hat, SuSE, FreeBSD and OpenBSD for many system users. And is the recommended practice for disabling users (per CERT's http://www.cert.org/tech_tips/unix_configuration_guidelines.html). This is recommended because even if a user has a disabled password some (network) services might allow remote login under certain circumstances. In any case, and this is Debian-specific, you might want to read through the following discussions: http://lists.debian.org/debian-security/2003/10/msg00135.html and http://lists.debian.org/debian-devel/1998/07/msg03281.html (continued in http://lists.debian.org/debian-devel/1998/08/msg00084.html) (1998! gasp!) for insightful comments for (some even against) this practice. In any case, you could use noshell (already available in Debian) or nologin (see #298782) instead of /bin/false. Those will provide also logging capabilities (i.e. when somebody tries to use the shell this is noted in syslog). That helps detect misuse and also detect which users *do* need a shell for some reason (as they would trigger the log messages and you are reviewing the logs, aren't you? :-) Regards Javier
signature.asc
Description: Digital signature
