[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: "valid shell"s
On Thu, Feb 07, 2008 at 03:49:13PM -0500, der Mouse wrote:
> > That's the entire premise behind checking the shell, as opposed to,
> > say, /etc/ftpusers or other more verbose configuration files that do
> > or could exist.
> Equating those two is the premise behind abusing getusershell() to
> check for things like "may use server-side FTP", yes. But that
> equation is invalid.
Yes, that was at least part of the point. I think we're now arguing
about whether we're agreeing.
The rest of the point I was trying to make is that whether or not that
equivalence is a mistake, one can't abolish it without providing some
alternative way to arrive at a similar conclusion.
> > you can't remove the concept of a valid shell without providing a
> > suitable alternate check for these cases.
> Actually, from a dogmatic point of view, the correct thing to do is to
> wall them off from the "valid shell" concept, to make them stop abusing
> it by equating it with other things.
Yes, but if you don't provide an alternative, and for that matter also
a cogent explanation of why the alternative is more correct, they'll
just hack around your restriction. You will find lame programs coming
with a config test for getusershell() or whatever and providing an
alternative method that checks only if the user's shell is
Dogmatism isn't good for system design.
Furthermore, fixing a problem properly requires considering the entire
framework of the problem, including the administrative and social
contexts and the costs of deploying solutions.
> As a matter of pragmatics, it makes it, among other things, impossible
> to configure a box such that users in general have control over their
> own shells; setting such a system up demands some coding in that case -
> either writing the wrapper or removing the getusershell() stupidity
> from (at least) chsh.
Pragmatically, a lot of things are wrong and the more serious problems
should be tackled first. I'm just really not convinced /etc/shells is
very high on that list.
David A. Holland
Main Index |
Thread Index |