On Mon, Jun 1, 2009 at 2:45 AM, Michael A. Peters mpeters@mac.com wrote:
Bill Campbell wrote:
Personally I would not permit uses to change their shells, but require appropriate admin privileges. I have seen systems hacks made via webmin or usermin where the user's shell was changed from /bin/false to /bin/bash, then the account used to install user-level bots that definately should not have been there.
Any tool that changes the shell should have a whitelist of shells the user account must currently be set to or it exits, and probably should validate the new shell is in that white list as well before it changes it.
I should have been more precise in my original post. After a second read, I see that it sounds like I was asking for policy advice. Actually, what I meant to ask was is it expected behavior that "lchsh" fails for LDAP users? If so, what are my choices for allowing users to change their shells? I can open up the permissions on /etc/default/useradd, but maybe there's a better way. I need this capability.
"chsh" works for local users, so it's not that CentOS takes a stand against users changing their shells.
Matt