On Mon, Jun 1, 2009 at 2:45 AM, Michael A. Peters <mpeters at mac.com> wrote: > Bill Campbell wrote: >> Personally I would not permit uses to change their shells, but >> require appropriate admin privileges. I have seen systems hacks >> made via webmin or usermin where the user's shell was changed >> from /bin/false to /bin/bash, then the account used to install >> user-level bots that definately should not have been there. > > Any tool that changes the shell should have a whitelist of shells the > user account must currently be set to or it exits, and probably should > validate the new shell is in that white list as well before it changes it. I should have been more precise in my original post. After a second read, I see that it sounds like I was asking for policy advice. Actually, what I meant to ask was is it expected behavior that "lchsh" fails for LDAP users? If so, what are my choices for allowing users to change their shells? I can open up the permissions on /etc/default/useradd, but maybe there's a better way. I need this capability. "chsh" works for local users, so it's not that CentOS takes a stand against users changing their shells. Matt