From: Golden_Eternity [bhodi@....com]
Sent: Monday, April 23, 2001 12:08 PM
Subject: Non-user accounts assigned shell by default – Red Hat 6.1-7.0,
AFFECTED VERSIONS: Confirmed on Red Hat 6.1, 6.2 and 7.0
The default installation does not assign a shell for most non-user accounts
(e.g. nobody, bin). If no shell is specified for an account, the shell
defaults to /bin/sh.
On its own, this does not pose a significant threat. However, very few of
these accounts require a shell, so there is no reason to grant this extra
privilege. This may violate security policies for granting the minimum
privileges necessary to accomplish a task.
Additionally, the default installation of /etc/shells does not contain a
shell such as /bin/false which would deny login.
Red Hat was contacted about this in June 2000 and has elected not to fix
this problem at this time.
The solution would be to assign these accounts a false shell which will
not permit login, such as /bin/false. This shell could be added to /etc/shells
for use with chsh.
[root@roto-router /root]# grep “nobody” /etc/passwd
[root@roto-router /root]# su nobody
[root@roto-router /root]# grep “xfs” /etc/passwd
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
[root@roto-router /root]# su xfs
I apologize if this is not considered a significant enough issue to post
to bugtraq. I debated posting for a while and eventually decided that if
it isn’t, the moderator will kill it.
Since some administrators may not be aware that there is a default shell
for unix/linux accounts, I felt this information could be useful.
Updates to this warning can be found at http://www.bhodisoft.com/Sec/