Debian bug report logs - #1794 /bin/sh is shell when none specified in /etc/passwd Package: ? ; Reported by: Ian Jackson . ----------------------------------------------------------------------- Message received at debian-bugs: From chiark.chu.cam.ac.uk!ian Fri Nov 3 11:55:24 1995 Return-Path: Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0tBSCy-0005NXC; Fri, 3 Nov 95 11:55 PST Received: from artemis.chu.cam.ac.uk by pixar.com with SMTP id AA19923 (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Fri, 3 Nov 1995 11:54:48 -0800 Received: from chiark.chu.cam.ac.uk by artemis.chu.cam.ac.uk with smtp (Smail3.1.29.1 #33) id m0tBSC2-0007qwC; Fri, 3 Nov 95 19:54 GMT Received: by chiark.chu.cam.ac.uk id m0tBSBn-0002bvC (Debian /\oo/\ Smail3.1.29.1 #29.33); Fri, 3 Nov 95 19:54 GMT Message-Id: Date: Fri, 3 Nov 95 19:54 GMT From: Ian Jackson To: debian-bugs@Pixar.com Subject: Re: Bug#1794: /bin/sh is shell when none specified in /etc/passwd In-Reply-To: References: Bruce Perens writes: > ian@chiark.chu.cam.ac.uk said: > > [empty shell fields in /etc/passwd mean /bin/sh] > > This is common practice, and perhaps important if you are using > a Yellow Pages password database that originates on a different > system. I see. I don't really approve, but such things are too late to change at this late stage of Unix's development ... > Use "/dev/null" as the shell if you want to disable the login. Perhaps this should be done for all the non-login accounts in /etc/passwd, by default ? Ian. ----------------------------------------------------------------------- Acknowledgement sent to Ian Jackson : Extra info received and forwarded. Full text available. ----------------------------------------------------------------------- Information forwarded to debian-devel@pixar.com : Bug#1794 ; Package ? . Full text available. ----------------------------------------------------------------------- Message received at debian-bugs: From pixar.com!bruce Thu Nov 2 15:44:49 1995 Return-Path: Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0tB9JQ-0006WgC; Thu, 2 Nov 95 15:44 PST Received: from mongo.pixar.com by pixar.com with SMTP id AA29607 (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Thu, 2 Nov 1995 15:44:21 -0800 Received: by mongo.pixar.com (Smail3.1.28.1 #15) id m0tB9JM-0006rpC; Thu, 2 Nov 95 15:44 PST Message-Id: X-Mailer: exmh version 1.6.2 7/18/95 To: Ian Jackson , debian-bugs@Pixar.com Cc: bruce@Pixar.com Subject: Re: Bug#1794: /bin/sh is shell when none specified in /etc/passwd In-Reply-To: Your message of "Thu, 02 Nov 1995 19:16:00 PST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 02 Nov 1995 15:44:43 -0800 From: Bruce Perens ian@chiark.chu.cam.ac.uk said: > [empty shell fields in /etc/passwd mean /bin/sh] This is common practice, and perhaps important if you are using a Yellow Pages password database that originates on a different system. Use "/dev/null" as the shell if you want to disable the login. Thanks Bruce -- See Pixar's "Toy Story", at a theater near you starting November 22. "Toy Story" Soundtrack - Available now at a record shop near you! ----------------------------------------------------------------------- Acknowledgement sent to Bruce Perens : Extra info received and forwarded. Full text available. ----------------------------------------------------------------------- Information forwarded to debian-devel@pixar.com : Bug#1794 ; Package ? . Full text available. ----------------------------------------------------------------------- Message received at debian-bugs: From chiark.chu.cam.ac.uk!ian Thu Nov 2 11:17:03 1995 Return-Path: Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0tB58J-000Be6C; Thu, 2 Nov 95 11:17 PST Received: from artemis.chu.cam.ac.uk by pixar.com with SMTP id AA13292 (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Thu, 2 Nov 1995 11:16:33 -0800 Received: from chiark.chu.cam.ac.uk by artemis.chu.cam.ac.uk with smtp (Smail3.1.29.1 #33) id m0tB57z-0007qwC; Thu, 2 Nov 95 19:16 GMT Received: by chiark.chu.cam.ac.uk id m0tB57j-0002YDC (Debian /\oo/\ Smail3.1.29.1 #29.33); Thu, 2 Nov 95 19:16 GMT Message-Id: Date: Thu, 2 Nov 95 19:16 GMT From: Ian Jackson To: Debian bugs submission address Subject: /bin/sh is shell when none specified in /etc/passwd Package: ? I recently created a special-purpose entry in /etc/passwd, with an empty shell field. I was surprised to see that `finger' reported the shell as `/bin/sh', and tried using `su' from a root shell to su to the account. Sure enough, I got a shell. This seems wrong to me, particularly in the light of the many `system' entries in /etc/passwd that have no shell in their shell field. It's not clear that there is a real vulnerability here, but I would feel happier if things in general didn't treat an absent shell field as /bin/sh. In the meantime I've changed the shells for `mail', &c, to `/bin/false'. Ian. ----------------------------------------------------------------------- Acknowledgement sent to Ian Jackson : New bug report received and forwarded. Full text available. ----------------------------------------------------------------------- Report forwarded to debian-devel@pixar.com : Bug#1794 ; Package ? . Full text available. ----------------------------------------------------------------------- Ian Jackson / iwj10@thor.cam.ac.uk , with the debian-bugs tracking mechanism This page last modified 20:13:03 GMT Fri 03 Nov