tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: "valid shell"s



On Mon, Feb 04, 2008 at 02:34:39PM -0500, der Mouse wrote:
 > [various possible ways to buff up /etc/shells]
 > It sounds reasonable, but it also sounds like second-system effect....
 > 
 > But then, better yet might be to get rid of getusershell() entirely in
 > favour of saner ways of solving its original problem.

One can also hack around the issue with a program in /usr/local/bin
that execs $HOME/.shell, or /shells/$USER, which can then be anything.
If you want to be more elaborate you can have the wrapper do arbitrary
checks, too. (In which case you might want to chmod g+s it to an
otherwise unused group so it can't be ptraced and circumvented. Just
remember to setegid().)

This isn't necessarily recommended, but it might do if you need the
ability.

My guess is that otherwise it's not really worth trying to fix it,
beyond maybe adding globbing. Ultimately, there are too many admins
and users who know how /etc/shells works to justify making big changes
without a clear increment in functionality. And I don't think that's
going to happen except maybe by adding a field to the password file to
separate account state from shell choice... and that's pretty much a
non-starter.

My guess is that if you have enough users that adding random things
they want to /etc/shells is a hassle, you also have enough users that
the hassles associated with cleaning up after people who stupidly or
accidentally set their shell to /bin/cat (or /usr/pgk/bin/zsh) will
outweigh any administrative benefits of making chsh unrestricted.

(However, by all means hack away experimentally - there might come a
point where we're ready to do a major change to the way account
information is managed, and at that point it would be helpful to
already know and have tested out all the other redesigns that should
be rolled in at the same time.)

Some things just too deeply intertwined with everything else, so if
you pull on them you end up with a big tangle. :-|

-- 
David A. Holland
dholland%netbsd.org@localhost




Home | Main Index | Thread Index | Old Index