SUMMARY: root's /bin/false

From: Mike's List <>
Date: Tue Apr 01 2003 - 15:00:54 EST
Thanks to:
Brett Monroe, Casper Dik, topher, John Timon, Rich Teer, Crist Clark,
Michael Peppard, Debbie Tropiano...

All agreed that root's shell should not be change, ie. if the system
reboot and needs fsck or single user mode, you'll have to boot into
cdrom --too much of a hassle.

Casper and Crist both mentioned that and changing root's shell will not
prevent the exploit because it's executable w/in sendmail, dns, etc. and
not user's shell.

One mentioned that passwd -l might be safer than changing root's shell.
One mentioned using qmail and dnscache, of course there's also postfix,
but it's a major overhaul moving to a different mail software...

Leaving root's shell alone for now and just keeps patching away.

- Mike

---------- original message ----------

Maybe I'm not thinking right today or overlook something simple, but...

Anyone implementing root's shell to be /bin/false?  Since most of us here
at work do sudo, and with so many bugs/patches required for sendmail, DNS,
and the likes, I can't keep up in a timely manner.  I was just wondering if
anyone decided to have root shell as /bin/false --ie. easy enough to boot
the system via cdrom and recover, edit root's entry should it be necessary.

...or maybe another shell not sure if anything will be broken/requires for
root's shell to be /sbin/sh or not.  Note, shell changes only, I'm not
suggesting passwd -l the account; but then no one needs to login as root
in the first place.


- Mike

[ In addition to more packages at ]


 "They that can give up essential liberty to obtain a little
  temporary safety deserve neither liberty nor safety."

                                            -- Benjamin Franklin,
                               Historical Review of Pennsylvania.
sunmanagers mailing list
sunmanagers mailing list
Received on Tue Apr 1 15:05:44 2003

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:08 EST