Debian bug report logs - #1794
/bin/sh is shell when none specified in /etc/passwd

Package: ?; Reported by: Ian Jackson <ian@chiark.chu.cam.ac.uk>.

Message received at debian-bugs:


From chiark.chu.cam.ac.uk!ian Fri Nov  3 11:55:24 1995
Return-Path: <ian@chiark.chu.cam.ac.uk>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0tBSCy-0005NXC; Fri, 3 Nov 95 11:55 PST
Received: from artemis.chu.cam.ac.uk by pixar.com with SMTP id AA19923
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Fri, 3 Nov 1995 11:54:48 -0800
Received: from chiark.chu.cam.ac.uk by artemis.chu.cam.ac.uk with smtp
	(Smail3.1.29.1 #33) id m0tBSC2-0007qwC; Fri, 3 Nov 95 19:54 GMT
Received: by chiark.chu.cam.ac.uk
	id m0tBSBn-0002bvC
	(Debian /\oo/\ Smail3.1.29.1 #29.33); Fri, 3 Nov 95 19:54 GMT
Message-Id: <m0tBSBn-0002bvC@chiark.chu.cam.ac.uk>
Date: Fri, 3 Nov 95 19:54 GMT
From: Ian Jackson <ian@chiark.chu.cam.ac.uk>
To: debian-bugs@Pixar.com
Subject: Re: Bug#1794: /bin/sh is shell when none specified in /etc/passwd 
In-Reply-To: <m0tB9JM-0006rpC@mongo.pixar.com>
References: <m0tB57j-0002YDC@chiark.chu.cam.ac.uk>
	<m0tB9JM-0006rpC@mongo.pixar.com>

Bruce Perens writes:
> ian@chiark.chu.cam.ac.uk said:
> > [empty shell fields in /etc/passwd mean /bin/sh]
> 
> This is common practice, and perhaps important if you are using
> a Yellow Pages password database that originates on a different
> system.

I see.  I don't really approve, but such things are too late to change
at this late stage of Unix's development ...

>  Use "/dev/null" as the shell if you want to disable the login.

Perhaps this should be done for all the non-login accounts in
/etc/passwd, by default ?

Ian.

Acknowledgement sent to Ian Jackson <ian@chiark.chu.cam.ac.uk>:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1794; Package ?. Full text available.

Message received at debian-bugs:


From pixar.com!bruce Thu Nov  2 15:44:49 1995
Return-Path: <bruce@pixar.com>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0tB9JQ-0006WgC; Thu, 2 Nov 95 15:44 PST
Received: from mongo.pixar.com by pixar.com with SMTP id AA29607
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Thu, 2 Nov 1995 15:44:21 -0800
Received: by mongo.pixar.com (Smail3.1.28.1 #15)
	id m0tB9JM-0006rpC; Thu, 2 Nov 95 15:44 PST
Message-Id: <m0tB9JM-0006rpC@mongo.pixar.com>
X-Mailer: exmh version 1.6.2 7/18/95
To: Ian Jackson <ian@chiark.chu.cam.ac.uk>, debian-bugs@Pixar.com
Cc: bruce@Pixar.com
Subject: Re: Bug#1794: /bin/sh is shell when none specified in /etc/passwd 
In-Reply-To: Your message of "Thu, 02 Nov 1995 19:16:00 PST."
             <m0tB57j-0002YDC@chiark.chu.cam.ac.uk> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 02 Nov 1995 15:44:43 -0800
From: Bruce Perens <bruce@Pixar.com>


ian@chiark.chu.cam.ac.uk said:
> [empty shell fields in /etc/passwd mean /bin/sh]

This is common practice, and perhaps important if you are using
a Yellow Pages password database that originates on a different
system. Use "/dev/null" as the shell if you want to disable the login.

	Thanks

	Bruce


--
See Pixar's "Toy Story", at a theater near you starting November 22.
"Toy Story" Soundtrack - Available now at a record shop near you!


Acknowledgement sent to Bruce Perens <bruce@Pixar.com>:
Extra info received and forwarded. Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1794; Package ?. Full text available.

Message received at debian-bugs:


From chiark.chu.cam.ac.uk!ian Thu Nov  2 11:17:03 1995
Return-Path: <ian@chiark.chu.cam.ac.uk>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0tB58J-000Be6C; Thu, 2 Nov 95 11:17 PST
Received: from artemis.chu.cam.ac.uk by pixar.com with SMTP id AA13292
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Thu, 2 Nov 1995 11:16:33 -0800
Received: from chiark.chu.cam.ac.uk by artemis.chu.cam.ac.uk with smtp
	(Smail3.1.29.1 #33) id m0tB57z-0007qwC; Thu, 2 Nov 95 19:16 GMT
Received: by chiark.chu.cam.ac.uk
	id m0tB57j-0002YDC
	(Debian /\oo/\ Smail3.1.29.1 #29.33); Thu, 2 Nov 95 19:16 GMT
Message-Id: <m0tB57j-0002YDC@chiark.chu.cam.ac.uk>
Date: Thu, 2 Nov 95 19:16 GMT
From: Ian Jackson <ian@chiark.chu.cam.ac.uk>
To: Debian bugs submission address <debian-bugs@pixar.com>
Subject: /bin/sh is shell when none specified in /etc/passwd

Package: ?

I recently created a special-purpose entry in /etc/passwd, with an
empty shell field.  I was surprised to see that `finger' reported the
shell as `/bin/sh', and tried using `su' from a root shell to su to
the account.  Sure enough, I got a shell.

This seems wrong to me, particularly in the light of the many `system'
entries in /etc/passwd that have no shell in their shell field.  It's
not clear that there is a real vulnerability here, but I would feel
happier if things in general didn't treat an absent shell field as
/bin/sh.

In the meantime I've changed the shells for `mail', &c, to
`/bin/false'.

Ian.

Acknowledgement sent to Ian Jackson <ian@chiark.chu.cam.ac.uk>:
New bug report received and forwarded. Full text available.
Report forwarded to debian-devel@pixar.com:
Bug#1794; Package ?. Full text available.
Ian Jackson / iwj10@thor.cam.ac.uk, with the debian-bugs tracking mechanism
This page last modified 20:13:03 GMT Fri 03 Nov