On Tue, Jun 19, 2007 at 10:56:05AM -0400, Justin Pryzby wrote: > Regarding shells(5) manpage, I thought you might be interested that > /bin/su also (in addition to some ftpd) defines "restricted shell" as > "shells not in etc/shells". This is perhaps more relevant since most > people know to avoid ftpd but su is a core package. Also people might > go to some effort to use eg. /usr/sbin/nologin or /sbin/noshell, > follow the best-practice instructions, only to have su use this > information to decide that it's perfectly reasonable for some obscure > thing like gnats to su root...
Well, the point is that some applications (login/telnet/SSH) will not allow login of a user that has an invalid shell, so you will not get a warning if a user logs into those accounts (with the proper password) if you don't add the shell to /etc/shells I can see the problem with su, it's actually the same problem if OpenSSH's scp/sftp is used instead of login in. That being said, I will probably drop support for noshell. But might fix the README.Debian for those users that use it before it gets removed from the archive. Regards Javier
signature.asc
Description: Digital signature
