[cfarm-users] Changing shell with chsh without being prompted for password
Segher Boessenkool
segher at kernel.crashing.org
Tue Jul 17 21:48:00 CEST 2018
On Tue, Jul 17, 2018 at 08:49:19PM +0200, Baptiste Jonglez via cfarm-users wrote:
> On 17-07-18, Segher Boessenkool wrote:
> > On Tue, Jul 17, 2018 at 12:44:09PM +0200, Baptiste Jonglez via cfarm-users wrote:
> > > As an experiment, we have just added PAM configuration to gcc13 and gcc14
> > > so that chsh does not ask for a password.
> >
> > Cool. Thanks for doing this.
> >
> > > If you know about any security issues that could arise from this setting,
> > > please speak up! If everything looks fine, we will deploy this setting to
> > > all farm machines.
> >
> > It looks fine to me wrt security.
>
> Yeah, PAM is supposed to be secure, but I'm just a bit concerned because
> this setup basically allows changing /etc/passwd without root privileges.
Just like passwd(1) you mean? :-)
> > 2) Will we now get _more_ requests for help? If someone messes up their
> > login shell setting, they cannot fix it themselves.
>
> chsh only allows shells listed in /etc/shells :)
>
> $ chsh -s /bin/cat
> chsh: /bin/cat is an invalid shell
> $ chsh -s /bin/zsh
> $
>
> So, it should prevent most mistakes.
Oh of course. for some reason I thought anything would be allowed, like
root can do; but you only don't need to authenticate, nothing else changes.
So yeah looks fine :-)
Segher
More information about the cfarm-users
mailing list