On Tue, Apr 14, 2009 at 06:09:39PM +0200, Ante Karamati?? wrote: > Next are users with /bin/bash. If those users would have /bin/false, > they won't be able to run jobs from cron.
The idea that setting a shell makes a service user vulnerable to exploitation is ridiculous. If a service were exploited, the attacker would have arbitrary code control, and could spawn whatever program they wanted, regardless of the configured shell. And besides, several of those services (cups, mysql, bind9, with dhcp added in 9.04) are confined with AppArmor, so it matters even less. > Of course, there are some valid points, but also lots of nonsense. If we're going to nitpick, how about "buffer overload"? That is an extremely uncommon phrase to use to mean "buffer overflow". Getting this wrong would seem to indicate a lack of real understanding in this area. -Kees -- Kees Cook Ubuntu Security Team -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
