[Bug 456182] Review Request: rssh - Restricted shell for use with OpenSSH, allowing only scp and/or sftp

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


https://bugzilla.redhat.com/show_bug.cgi?id=456182





--- Comment #19 from Debarshi Ray <debarshi.ray@xxxxxxxxx>  2008-10-28 16:12:29 EDT ---
> Actually, rssh should *absolutely* *not* be added to /etc/shells.  This file
> lists shells which should be considered valid login shells.  rssh is not, nor
> is it intended to be, a valid login shell... it's a specialized shell intended
> to provide extremely restricted access.

Thanks Derek for that feedback!

> Some additional examples of badness that can occur if rssh is listed in
> /etc/shells:
>
> A malicious user could walk up to someone's terminal while they are away (or
> even not looking), quickly run chsh (setting it to rssh), and log the user out,
> effectively denying them login access to the machine.
>
> GDM will populate the user browser with an entry for that user, despite the
> fact that they will be unable to log in.
>
> Sendmail may allow users to execute arbitrary programs via .forward if their
> shell is rssh and it is listed in /etc/shells.
>
> getusershell() will return incorrect information about which shells are valid
> login shells.

Well, /etc/shells also has /sbin/nologin. Won't that cause some of the above
problems too?

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

_______________________________________________
Fedora-package-review mailing list
Fedora-package-review@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-package-review

[Index of Archives]     [Fedora Legacy]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]