I was just reviewing this thread to date, and came across somebody asking: > How is this a "critical...security hole"? I'm wondering if perhaps some of the staunch defenders of the status quo have missed the security hole? One of the checks that chsh makes when running for an unprivileged user is that the current shell is a "normal" one, that is, listed in /etc/shells. chsh doesn't actually use pam_shells, but it's the same check. If your current shell is not listed in /etc/shells, you are not allowed to change it. But if your current shell is in the list, you can change it. Suppose as an administrator, you want to lock Alice out of the system: # usermod -s /sbin/nologin alice She can no longer log in. But now suppose Alice has a friend Eve, who also has an account on the system: eve$ su -s /bin/bash alice -c 'chsh -s /bin/bash' Password: Changing shell for alice. Password: Shell changed. Now Alice can log in again. (In case it's not obvious, the first password prompt is from su, the second is from chsh, and I typed alice's password at each.) A (non-root) user, supposedly locked out of a Fedora system with nologin, can regain access by colluding with another (non-root) user. Does anyone still think that /sbin/nologin belongs in /etc/shells? If so, I have a ticket drafted for FESCo to make an authoritative decision. But I'd prefer to avoid taking up their time. Can we reach consensus here that nologin should be removed from shells? Toby. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
