[cfarm-users] Changing shell with chsh without being prompted for password
Baptiste Jonglez
baptiste at bitsofnetworks.org
Tue Jul 17 20:49:19 CEST 2018
Hi Segher,
On 17-07-18, Segher Boessenkool wrote:
> Hi!
>
> On Tue, Jul 17, 2018 at 12:44:09PM +0200, Baptiste Jonglez via cfarm-users wrote:
> > As an experiment, we have just added PAM configuration to gcc13 and gcc14
> > so that chsh does not ask for a password.
>
> Cool. Thanks for doing this.
>
> > If you know about any security issues that could arise from this setting,
> > please speak up! If everything looks fine, we will deploy this setting to
> > all farm machines.
>
> It looks fine to me wrt security.
Yeah, PAM is supposed to be secure, but I'm just a bit concerned because
this setup basically allows changing /etc/passwd without root privileges.
> Two problems with it, probably not very serious:
>
> 1) Not all machines use PAM;
I must admit I haven't tested on the more exotic OS, but it should
work at least on all the Debian & Ubuntu machines (that's 80% of the machines)
> 2) Will we now get _more_ requests for help? If someone messes up their
> login shell setting, they cannot fix it themselves.
chsh only allows shells listed in /etc/shells :)
$ chsh -s /bin/cat
chsh: /bin/cat is an invalid shell
$ chsh -s /bin/zsh
$
So, it should prevent most mistakes.
Baptiste
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.tetaneutral.net/pipermail/cfarm-users/attachments/20180717/ee31d733/attachment.sig>
More information about the cfarm-users
mailing list