Debian bug report logs - #1794 , boring messages ----------------------------------------------------------------------- Message sent to debian-devel@pixar.com: Subject: Bug#1794: /bin/sh is shell when none specified in /etc/passwd Reply-To: Ian Jackson , debian-bugs@pixar.com Resent-From: Ian Jackson Resent-To: debian-devel@pixar.com Resent-Date: Thu, 02 Nov 1995 19:33:01 GMT Resent-Message-ID: Resent-Sender: iwj10@cus.cam.ac.uk X-Debian-PR-Package: ? X-Debian-PR-Keywords: Received: via spool for debian-bugs; Thu, 02 Nov 1995 19:33:01 GMT Received: with rfc822 via encapsulated-mail; Thu, 02 Nov 1995 19:19:03 GMT Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0tB58J-000Be6C; Thu, 2 Nov 95 11:17 PST Received: from artemis.chu.cam.ac.uk by pixar.com with SMTP id AA13292 (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Thu, 2 Nov 1995 11:16:33 -0800 Received: from chiark.chu.cam.ac.uk by artemis.chu.cam.ac.uk with smtp (Smail3.1.29.1 #33) id m0tB57z-0007qwC; Thu, 2 Nov 95 19:16 GMT Received: by chiark.chu.cam.ac.uk id m0tB57j-0002YDC (Debian /\oo/\ Smail3.1.29.1 #29.33); Thu, 2 Nov 95 19:16 GMT Message-Id: Date: Thu, 2 Nov 95 19:16 GMT From: Ian Jackson To: Debian bugs submission address Package: ? I recently created a special-purpose entry in /etc/passwd, with an empty shell field. I was surprised to see that `finger' reported the shell as `/bin/sh', and tried using `su' from a root shell to su to the account. Sure enough, I got a shell. This seems wrong to me, particularly in the light of the many `system' entries in /etc/passwd that have no shell in their shell field. It's not clear that there is a real vulnerability here, but I would feel happier if things in general didn't treat an absent shell field as /bin/sh. In the meantime I've changed the shells for `mail', &c, to `/bin/false'. Ian. ----------------------------------------------------------------------- Message sent: From: iwj10@thor.cam.ac.uk (Ian Jackson) To: Ian Jackson Subject: Bug#1794: Acknowledgement (was: /bin/sh is shell when none specified in /etc/passwd) In-Reply-To: References: Thank you for the problem report you have sent regarding Debian GNU/Linux. This is an automatically generated reply, to let you know your message has been received. It is being forwarded to the developers' mailing list for their attention; they will reply in due course. If you wish to submit further information on your problem, please send it to debian-bugs@pixar.com, but please ensure that the Subject line of your message starts with "Bug#1794" or "Re: Bug#1794" so that we can identify it as relating to the same problem. Please do not reply to the address at the top of this message, unless you wish to report a problem with the bug-tracking system. Ian Jackson (maintainer, debian-bugs) ----------------------------------------------------------------------- Message sent to debian-devel@pixar.com: Subject: Bug#1794: bin/sh is shell when none specified in /etc/passwd Reply-To: Bruce Perens , debian-bugs@pixar.com Resent-From: Bruce Perens Resent-To: debian-devel@pixar.com Resent-Date: Thu, 02 Nov 1995 23:48:02 GMT Resent-Message-ID: Resent-Sender: iwj10@cus.cam.ac.uk X-Debian-PR-Package: ? X-Debian-PR-Keywords: Received: via spool for debian-bugs; Thu, 02 Nov 1995 23:48:02 GMT Received: with rfc822 via encapsulated-mail; Thu, 02 Nov 1995 23:46:02 GMT Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0tB9JQ-0006WgC; Thu, 2 Nov 95 15:44 PST Received: from mongo.pixar.com by pixar.com with SMTP id AA29607 (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Thu, 2 Nov 1995 15:44:21 -0800 Received: by mongo.pixar.com (Smail3.1.28.1 #15) id m0tB9JM-0006rpC; Thu, 2 Nov 95 15:44 PST Message-Id: X-Mailer: exmh version 1.6.2 7/18/95 To: Ian Jackson , debian-bugs@Pixar.com Cc: bruce@Pixar.com In-Reply-To: Your message of "Thu, 02 Nov 1995 19:16:00 PST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 02 Nov 1995 15:44:43 -0800 From: Bruce Perens ian@chiark.chu.cam.ac.uk said: > [empty shell fields in /etc/passwd mean /bin/sh] This is common practice, and perhaps important if you are using a Yellow Pages password database that originates on a different system. Use "/dev/null" as the shell if you want to disable the login. Thanks Bruce -- See Pixar's "Toy Story", at a theater near you starting November 22. "Toy Story" Soundtrack - Available now at a record shop near you! ----------------------------------------------------------------------- Message sent: From: iwj10@thor.cam.ac.uk (Ian Jackson) To: Bruce Perens Subject: Bug#1794: Info received (was Bug#1794: /bin/sh is shell when none specified in /etc/passwd) In-Reply-To: References: Thank you for the additional information you have supplied regarding this problem report. It has been forwarded to the developers to accompany the original report. If you wish to continue to submit further information on your problem, please do the same thing again: send it to debian-bugs@pixar.com, ensuring that the Subject line starts with "Bug#1794" or "Re: Bug#1794" so that we can identify it as relating to the same problem. Please do not reply to the address at the top of this message, unless you wish to report a problem with the bug-tracking system. Ian Jackson (maintainer, debian-bugs) ----------------------------------------------------------------------- Message sent to debian-devel@pixar.com: Subject: Bug#1794: bin/sh is shell when none specified in /etc/passwd Reply-To: Ian Jackson , debian-bugs@pixar.com Resent-From: Ian Jackson Resent-To: debian-devel@pixar.com Resent-Date: Fri, 03 Nov 1995 20:03:02 GMT Resent-Message-ID: Resent-Sender: iwj10@cus.cam.ac.uk X-Debian-PR-Package: ? X-Debian-PR-Keywords: Received: via spool for debian-bugs; Fri, 03 Nov 1995 20:03:02 GMT Received: with rfc822 via encapsulated-mail; Fri, 03 Nov 1995 19:56:30 GMT Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0tBSCy-0005NXC; Fri, 3 Nov 95 11:55 PST Received: from artemis.chu.cam.ac.uk by pixar.com with SMTP id AA19923 (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Fri, 3 Nov 1995 11:54:48 -0800 Received: from chiark.chu.cam.ac.uk by artemis.chu.cam.ac.uk with smtp (Smail3.1.29.1 #33) id m0tBSC2-0007qwC; Fri, 3 Nov 95 19:54 GMT Received: by chiark.chu.cam.ac.uk id m0tBSBn-0002bvC (Debian /\oo/\ Smail3.1.29.1 #29.33); Fri, 3 Nov 95 19:54 GMT Message-Id: Date: Fri, 3 Nov 95 19:54 GMT From: Ian Jackson To: debian-bugs@Pixar.com In-Reply-To: References: Bruce Perens writes: > ian@chiark.chu.cam.ac.uk said: > > [empty shell fields in /etc/passwd mean /bin/sh] > > This is common practice, and perhaps important if you are using > a Yellow Pages password database that originates on a different > system. I see. I don't really approve, but such things are too late to change at this late stage of Unix's development ... > Use "/dev/null" as the shell if you want to disable the login. Perhaps this should be done for all the non-login accounts in /etc/passwd, by default ? Ian. ----------------------------------------------------------------------- Message sent: From: iwj10@thor.cam.ac.uk (Ian Jackson) To: Ian Jackson Subject: Bug#1794: Info received (was Bug#1794: /bin/sh is shell when none specified in /etc/passwd) In-Reply-To: References: Thank you for the additional information you have supplied regarding this problem report. It has been forwarded to the developers to accompany the original report. If you wish to continue to submit further information on your problem, please do the same thing again: send it to debian-bugs@pixar.com, ensuring that the Subject line starts with "Bug#1794" or "Re: Bug#1794" so that we can identify it as relating to the same problem. Please do not reply to the address at the top of this message, unless you wish to report a problem with the bug-tracking system. Ian Jackson (maintainer, debian-bugs) ----------------------------------------------------------------------- Ian Jackson / iwj10@thor.cam.ac.uk , with the debian-bugs tracking mechanism This page last modified 20:13:03 GMT Fri 03 Nov