pseudo (*not* system) users and /bin/false ?

J.A. Neitzel jan.listbox at belvento.org
Wed Dec 13 23:10:16 PST 2000


On Wednesday 13 December 2000 09:57, Thomas 'Balu' Walter wrote:
> +-Gerard Beekmans-(gerard at linuxfromscratch.org)-[12.12.00 21:00]:
> > > So, would you say that it is an extra security precaution (good
> > > idea) to put /bin/false as shell for all pseudo users (bin, mail,
> > > ftp, etc...) on the system? Thanks for the feedback! :o)
> >
> > Yep. Also, you can do something about their home directory too. I
> > often write /no/where in the HOME field in combination with
> > /bin/false as the shell field.
>
> I prefer /dev/null as home-dir. Some machines allow people to log in,
> even if there home-dir does not exist (their new home is / then)

Ayup, I read about the /dev/null as home-dir in the *NIX SysAdmin 
Handbook (aka Redbook..?). Seems a good way to go. And, as a side note, 
/etc/login.defs has the following:

<cut>
#
# Should login be allowed if we can't cd to the home directory?
# Default in no.
#
DEFAULT_HOME	no
</cut>

Good to know about that one. Though, I haven't played with it to see that 
it works correctly. I'll check it quickly in the morning...
-- 
Tar for now ;)
Jeff





More information about the lfs-security mailing list