On Sun, May 31, 2009, Matt Harrington wrote:
Should unprivileged users be able to change their shell with lchsh on 5.3 and, if it matters, CentOS Directory Server? lchsh seems to require more open permissions than those which come with a default installation:
Personally I would not permit uses to change their shells, but require appropriate admin privileges. I have seen systems hacks made via webmin or usermin where the user's shell was changed from /bin/false to /bin/bash, then the account used to install user-level bots that definately should not have been there.
Most of our customers are regional ISPs or small-to-medium businesses where most user accounts have /bin/false as their shells as the average user has no need for shell access. Any user who wants real shell access needs to ask specifically for it, and, in the case of the ISPs, be known to the ISP as somebody who isn't going to abuse or misuse the account, intentionally or through simple ignorance.
Bill