From: Golden_Eternity [bhodi@….com]
Sent: Monday, April 23, 2001 12:08 PM
To: ‘BUGTRAQ@….com’
Subject: Non-user accounts assigned shell by default – Red Hat 6.1-7.0,
et al.
SEVERITY: Low
AFFECTED VERSIONS: Confirmed on Red Hat 6.1, 6.2 and 7.0
DESCRIPTION:
The default installation does not assign a shell for most non-user accounts
(e.g. nobody, bin). If no shell is specified for an account, the shell
defaults to /bin/sh.
On its own, this does not pose a significant threat. However, very few of
these accounts require a shell, so there is no reason to grant this extra
privilege. This may violate security policies for granting the minimum
privileges necessary to accomplish a task.
Additionally, the default installation of /etc/shells does not contain a
shell such as /bin/false which would deny login.
Red Hat was contacted about this in June 2000 and has elected not to fix
this problem at this time.
https://bugzilla.redhat.com/show_bug.cgi?id=12409
SOLUTION:
The solution would be to assign these accounts a false shell which will
not permit login, such as /bin/false. This shell could be added to /etc/shells
for use with chsh.
DEMONSTRATION:
[root@roto-router /root]# grep “nobody” /etc/passwd
nobody:x:99:99:Nobody:/:
[root@roto-router /root]# su nobody
bash$
[root@roto-router /root]# grep “xfs” /etc/passwd
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
[root@roto-router /root]# su xfs
[root@roto-router /root]#
—
I apologize if this is not considered a significant enough issue to post
to bugtraq. I debated posting for a while and eventually decided that if
it isn’t, the moderator will kill it. 😉
Since some administrators may not be aware that there is a default shell
for unix/linux accounts, I felt this information could be useful.
Updates to this warning can be found at https://www.bhodisoft.com/Sec/