[CentOS] Changing a user's shell on CentOS Directory Server?

Mon Jun 1 09:45:13 UTC 2009
Michael A. Peters <mpeters at mac.com>

Bill Campbell wrote:
> On Sun, May 31, 2009, Matt Harrington wrote:
>> Should unprivileged users be able to change their shell with lchsh on
>> 5.3 and, if it matters, CentOS Directory Server?  lchsh seems to
>> require more open permissions than those which come with a default
>> installation:
> 
> Personally I would not permit uses to change their shells, but
> require appropriate admin privileges.  I have seen systems hacks
> made via webmin or usermin where the user's shell was changed
> from /bin/false to /bin/bash, then the account used to install
> user-level bots that definately should not have been there.

Any tool that changes the shell should have a whitelist of shells the 
user account must currently be set to or it exits, and probably should 
validate the new shell is in that white list as well before it changes it.