Russ Allbery <r...@debian.org> writes: > That definitely should not be the case and any restricted shell that adds > itself to /etc/shells is buggy. See chsh(1):
> The only restriction placed on the login shell is that the command > name must be listed in /etc/shells, unless the invoker is the > superuser, and then any value may be added. An account with a > restricted login shell may not change her login shell. For this > reason, placing /bin/rsh in /etc/shells is discouraged since > accidentally changing to a restricted shell would prevent the user > from ever changing her login shell back to its original value. To follow up on this, currently rbash is added to /etc/shells, which is surprising to me and which I assume is what you were referring to. This seems directly contrary to the chsh advice. I can't find a reference to this in bash's changelog and am not sure the reasons for this, though, so presumably I'm missing something. I was only able to find this discussion of why pkexec checks $SHELL, and it doesn't support my assumption that it was an intentional security measure, so I may well be wrong in that part of my analysis. Apologies for that; I clearly should have done more research. git blame points to a commit that only references this thread: https://lists.freedesktop.org/archives/polkit-devel/2009-December/000282.html which seems to imply that this was done to match sudo behavior and because the author believed this was the right way to validate the SHELL setting. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
