Bill Campbell wrote: > On Sun, May 31, 2009, Matt Harrington wrote: >> Should unprivileged users be able to change their shell with lchsh on >> 5.3 and, if it matters, CentOS Directory Server? lchsh seems to >> require more open permissions than those which come with a default >> installation: > > Personally I would not permit uses to change their shells, but > require appropriate admin privileges. I have seen systems hacks > made via webmin or usermin where the user's shell was changed > from /bin/false to /bin/bash, then the account used to install > user-level bots that definately should not have been there.
Any tool that changes the shell should have a whitelist of shells the user account must currently be set to or it exits, and probably should validate the new shell is in that white list as well before it changes it. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
