Should unprivileged users be able to change their shell with lchsh on 5.3 and, if it matters, CentOS Directory Server? lchsh seems to require more open permissions than those which come with a default installation:
Error initializing libuser: could not open configuration file `/etc/default/useradd': Permission denied.
Matt
On Sun, May 31, 2009, Matt Harrington wrote:
Should unprivileged users be able to change their shell with lchsh on 5.3 and, if it matters, CentOS Directory Server? lchsh seems to require more open permissions than those which come with a default installation:
Personally I would not permit uses to change their shells, but require appropriate admin privileges. I have seen systems hacks made via webmin or usermin where the user's shell was changed from /bin/false to /bin/bash, then the account used to install user-level bots that definately should not have been there.
Most of our customers are regional ISPs or small-to-medium businesses where most user accounts have /bin/false as their shells as the average user has no need for shell access. Any user who wants real shell access needs to ask specifically for it, and, in the case of the ISPs, be known to the ISP as somebody who isn't going to abuse or misuse the account, intentionally or through simple ignorance.
Bill
Bill Campbell wrote:
On Sun, May 31, 2009, Matt Harrington wrote:
Should unprivileged users be able to change their shell with lchsh on 5.3 and, if it matters, CentOS Directory Server? lchsh seems to require more open permissions than those which come with a default installation:
Personally I would not permit uses to change their shells, but require appropriate admin privileges. I have seen systems hacks made via webmin or usermin where the user's shell was changed from /bin/false to /bin/bash, then the account used to install user-level bots that definately should not have been there.
Any tool that changes the shell should have a whitelist of shells the user account must currently be set to or it exits, and probably should validate the new shell is in that white list as well before it changes it.
On Mon, Jun 1, 2009 at 2:45 AM, Michael A. Peters mpeters@mac.com wrote:
Bill Campbell wrote:
Personally I would not permit uses to change their shells, but require appropriate admin privileges. I have seen systems hacks made via webmin or usermin where the user's shell was changed from /bin/false to /bin/bash, then the account used to install user-level bots that definately should not have been there.
Any tool that changes the shell should have a whitelist of shells the user account must currently be set to or it exits, and probably should validate the new shell is in that white list as well before it changes it.
I should have been more precise in my original post. After a second read, I see that it sounds like I was asking for policy advice. Actually, what I meant to ask was is it expected behavior that "lchsh" fails for LDAP users? If so, what are my choices for allowing users to change their shells? I can open up the permissions on /etc/default/useradd, but maybe there's a better way. I need this capability.
"chsh" works for local users, so it's not that CentOS takes a stand against users changing their shells.
Matt
On Mon, Jun 01, 2009, Matt Harrington wrote: ...
I should have been more precise in my original post. After a second read, I see that it sounds like I was asking for policy advice. Actually, what I meant to ask was is it expected behavior that "lchsh" fails for LDAP users? If so, what are my choices for allowing users to change their shells? I can open up the permissions on /etc/default/useradd, but maybe there's a better way. I need this capability.
"chsh" works for local users, so it's not that CentOS takes a stand against users changing their shells.
I think it was chsh that had a major security problem a while back that would permit user's to change their uid to ``0'' with the expect bad results. I ran into this on a SuSE system where chsh was called from usermin.
Bill
Matt Harrington wrote:
Should unprivileged users be able to change their shell with lchsh on 5.3 and, if it matters, CentOS Directory Server? lchsh seems to require more open permissions than those which come with a default installation:
Error initializing libuser: could not open configuration file`/etc/default/useradd': Permission denied.
lchsh and lchfn aren't setuid root on CentOS/RHEL systems, so they cannot open this file. I have no idea if this is intentional, a discussion on upstream's bugzilla - https://bugzilla.redhat.com/show_bug.cgi?id=125611 - advises against that.
You should open a bug on bugzilla.redhat.com against either libuser (where lchsh comes from) or against shadow-utils to make the useradd file readable for others at least.
It would be nice if you could tell us the bugzilla ID here, then.
Cheers,
Ralph
-
Bill Campbell -
Matt Harrington -
Michael A. Peters -
Ralph Angenendt