On Thu, Jul 21, 2011 at 7:24 PM, David Chapman <dcchap...@acm.org> wrote: > On 7/21/2011 4:00 PM, Daniel Neuberger wrote: >> >> On Thu, Jul 21, 2011 at 2:13 PM, Nico Kadel-Garcia<nka...@gmail.com> >> wrote: >>> >>> Don't give the shared "svn" user a valid shell!!!! If an administrator >>> needs to run operations as that user, to manipulate config files or >>> create new repositories, they can do "sudo -s -H -u svn" to get a >>> valid shell as the administrative user. Sudo can even be configured to >>> allow designated users such administrative access without requing >>> local root privileges at all. >> >> Hmm, why didn't I think of that? It doesn't seem to work though. >> Setting the shell to /bin/nologin or even just fakeshell breaks >> everything. Is there another way to give an invalid shell? >> >> > > How about /bin/false? This is the "shell" defined for all of the non-login > (e.g. daemon) accounts on my machines.
Depends on local system requirements. "/sbin//nologin" is common for system accounts, such as "www-data" and "named" on UNIX and Linux ystems, that don't need root access nor a valid user shell. It can even be listed in /etc/shells as a valid shell to permit certain oddball authentication setups to work well.