[Bug 456182] Review Request: rssh - Restricted shell for use with OpenSSH, allowing only scp and/or sftp
bugzilla at redhat.com
bugzilla at redhat.com
Tue Oct 28 20:12:31 UTC 2008
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=456182
--- Comment #19 from Debarshi Ray <debarshi.ray at gmail.com> 2008-10-28 16:12:29 EDT ---
> Actually, rssh should *absolutely* *not* be added to /etc/shells. This file
> lists shells which should be considered valid login shells. rssh is not, nor
> is it intended to be, a valid login shell... it's a specialized shell intended
> to provide extremely restricted access.
Thanks Derek for that feedback!
> Some additional examples of badness that can occur if rssh is listed in
> /etc/shells:
>
> A malicious user could walk up to someone's terminal while they are away (or
> even not looking), quickly run chsh (setting it to rssh), and log the user out,
> effectively denying them login access to the machine.
>
> GDM will populate the user browser with an entry for that user, despite the
> fact that they will be unable to log in.
>
> Sendmail may allow users to execute arbitrary programs via .forward if their
> shell is rssh and it is listed in /etc/shells.
>
> getusershell() will return incorrect information about which shells are valid
> login shells.
Well, /etc/shells also has /sbin/nologin. Won't that cause some of the above
problems too?
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the package-review
mailing list