On Wed, 22 Oct 2003 19:27, Dariush Pietrzak wrote: > > 'su -s /bin/bash -c "cmd" user ' > > > > sounds like a very bs argument > > Do you understand the term 'breakage' ?
Do you understand the term "testing"? > How about the idea that changing something in the system may force to you > to rewrite parts of code? Some of us have run fairly complete Linux machines for years with most of those accounts set to /bin/bash for their shell without any problems. I stopped doing that for two reasons, one is that upgrades of base-passwd whinged at me all the time, and the other is that I have little need for such measures now that I'm running SE Linux on all important machines. As most people who are interested in secure systems are not yet running SE Linux I think that there are some good benefits to be achieved by making the shells of those accounts be /bin/bash by default. As some people (such as myself) have run systems in such a manner for years without breakage I am quite confident that we can get these things right. We can start with "bin", "daemon", "sys", and "sync" which are the least likely accounts to need a login shell. After those changes have been tested to everyone's satisfaction we can then move on to others. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
