Re: User?s and Shells

Sat, 21 Dec 2002 22:01:10 -0800 

At 16:52 12/20/2002, Christian Hammers wrote:

I'm wondering why I would want that - until now nobody could give me a
good argument although everybody learns to remove the shells :-(

* If I give my users a disabled password, they cannot� login via passwd
  based ssh/ftp/pop3 etc.
True enough. However, there are lots of situations where you want a user to be able to login via FTP, but not have shell access. In this case, "shells" such as /bin/nologin allow the shell program to return "TRUE", thus allowing a FTP login, but not shell access through SSH,etc.


* But, on the other hand, I can have a
        su news -c /usr/local/script_running_as_user_news.sh
Of course you can; you can do whatever you please at root. However, often times administrators would like a non-root user to be able to su to news, to start a program, but not be able to su to news for shell access. This requires a password, but not a shell. The truth is, you should not execute the above command as root; it is a far safer operation to execute as a non-root user. In fact, I recommend that you avoid using root except where impossible. There are many ways to make this easier. Check out http://www.grsecurity.net.


ahp

Attachment: msg00507/pgp00000.pgp
Description: PGP signature

Reply via email to