On Mon, Jun 01, 2009, Matt Harrington wrote: ... >I should have been more precise in my original post. After a second >read, I see that it sounds like I was asking for policy advice. >Actually, what I meant to ask was is it expected behavior that "lchsh" >fails for LDAP users? If so, what are my choices for allowing users >to change their shells? I can open up the permissions on >/etc/default/useradd, but maybe there's a better way. I need this >capability. > >"chsh" works for local users, so it's not that CentOS takes a stand >against users changing their shells. I think it was chsh that had a major security problem a while back that would permit user's to change their uid to ``0'' with the expect bad results. I ran into this on a SuSE system where chsh was called from usermin. Bill -- INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax: (206) 232-9186 Skype: jwccsllc (206) 855-5792 "If taxation without consent is not robbery, then any band of robbers have only to declare themselves a government, and all their robberies are legalized." -- Lysander Spooner, Letter to Grover Cleveland 1886