[cfarm-users] Changing shell with chsh without being prompted for password

Baptiste Jonglez baptiste at bitsofnetworks.org
Tue Jul 17 20:49:19 CEST 2018


Hi Segher,

On 17-07-18, Segher Boessenkool wrote:
> Hi!
> 
> On Tue, Jul 17, 2018 at 12:44:09PM +0200, Baptiste Jonglez via cfarm-users wrote:
> > As an experiment, we have just added PAM configuration to gcc13 and gcc14
> > so that chsh does not ask for a password.
> 
> Cool.  Thanks for doing this.
> 
> > If you know about any security issues that could arise from this setting,
> > please speak up!  If everything looks fine, we will deploy this setting to
> > all farm machines.
> 
> It looks fine to me wrt security.

Yeah, PAM is supposed to be secure, but I'm just a bit concerned because
this setup basically allows changing /etc/passwd without root privileges.

> Two problems with it, probably not very serious:
> 
> 1) Not all machines use PAM;

I must admit I haven't tested on the more exotic OS, but it should
work at least on all the Debian & Ubuntu machines (that's 80% of the machines)

> 2) Will we now get _more_ requests for help?  If someone messes up their
> login shell setting, they cannot fix it themselves.

chsh only allows shells listed in /etc/shells :)

  $ chsh -s /bin/cat
  chsh: /bin/cat is an invalid shell
  $ chsh -s /bin/zsh
  $

So, it should prevent most mistakes.

Baptiste
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.tetaneutral.net/pipermail/cfarm-users/attachments/20180717/ee31d733/attachment.sig>


More information about the cfarm-users mailing list