pseudo (*not* system) users and /bin/false ?

J.A. Neitzel jan.listbox at belvento.org
Tue Dec 12 00:30:35 PST 2000


On Sunday 10 December 2000 11:47, Thomas 'Balu' Walter gave us this to 
ponder:
> +-J.A. Neitzel-(jan.listbox at belvento.org)-[09.12.00 20:51]:
> > Does anyone know the overall security implications of using
> > /bin/false for system users? Please see example below (taken from
> > /etc/passwd)...

Note that I should have said pseudo users... Sorry, my bad.

> This is the solution I always found on systems. I once had another one
> that was quite interesting:
>
> /bin/noshell:
> #!/usr/bin/tail +6

What about #!/bin/cat instead?

> # /etc/NOSHELL
> #
> #   Login shell to prevent shell access for user accounts
>
>  
> #######################################################################
>## #                                                                    
>   # #               Sorry, you do not have login access.               
>     # #                                                                
>       # #  If you need any special requirements, please contact        
>         # #                                                            
>           #
> #######################################################################
>##

Yes, interesting, could be handy for human users. OpenBSD has an 
/sbin/nologin that can be put as the shell for users who are not supposed 
to login. I no longer have access to an OpenBSD so I cannot say more 
about it. Though, it was a binary and not a shell script...

For human users who have been punished ;)
I was just thinking `passwd -l name` to disable (lock) the account. I 
wonder which is the better option..?

Thanks for the feedback! :o)
-- 
Regards,
J.A. Neitzel
"Computers don't make mistakes, but they do execute your mistakes
	with extreme precision."





More information about the lfs-security mailing list