On 09/29/08 22:56, John Sonnenschein wrote: > Hey security people > > I'm fishing for feedback on something. A user can't change his or her > own shell in [Open]Solaris.
This is only (for the files repository, i.e. /etc/passwd) because there is an explicit check in passwd.c that prohibits regular users to change their shell and/or gecos. If you remove that check, or change it to an authorization based check as has been discussed, the functionality to change these account properties is fully functional inside passwd. I'm not opposed to creating a different binary (chsh/chfn), but I'd suggest to keep all this functionality in one place (passwd) and create hardlinks to it, if possible. Joep
