[Bug 223159] New: chsh allows to change login shell even if the user has a restricted shell
https://bugzilla.novell.com/show_bug.cgi?id=223159 Summary: chsh allows to change login shell even if the user has a restricted shell Product: SUSE Linux 10.1 Version: Final Platform: Other OS/Version: SuSE Linux 10.1 Status: NEW Severity: Major Priority: P5 - None Component: Basesystem AssignedTo: kukuk@novell.com ReportedBy: lmuelle@novell.com QAContact: qa@suse.de CC: kj@sernet.de lmuelle@lisa:~> LC_ALL=POSIX chsh Changing login shell for lmuelle. Password: Enter the new value, or press return for the default. Login Shell [/usr/bin/rbash]: /bin/bash Shell changed. But the chsh man page states: An account with a restricted login shell may not change their login shell. Is there a different restricted login shell meant by the man page? Do I have to edit /etc/shells on all systems where I'd like to lock the users to rbash? This might even be appraised as a security problem. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223159 ------- Comment #1 from meissner@novell.com 2006-11-22 02:14 MST ------- what is the content of /etc/pam.d/chsh ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223159 ------- Comment #2 from lmuelle@novell.com 2006-11-22 03:42 MST ------- The default as delivered with pwdutils-3.0.7.1-17 of SUSE Linux 10.1. #%PAM-1.0 auth sufficient pam_rootok.so auth include common-auth account include common-account password include common-password session include common-session -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223159 ------- Comment #3 from lmuelle@novell.com 2006-11-22 09:52 MST ------- As a workaround I've setup a directory with sym links to the allowed commands and set PATH to this dir. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223159 kukuk@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Comment #4 from kukuk@novell.com 2006-11-25 08:13 MST ------- /usr/bin/rbash is listed in /etc/shells, so how can this be a restricted shell? There is _no_ such rule like restricted shells starts with "r" or similar things. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223159 lmuelle@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID | ------- Comment #5 from lmuelle@novell.com 2006-11-29 05:32 MST ------- Rudi: Please consider to remove /usr/bin/rbash from /etc/shells. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223159 lmuelle@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|kukuk@novell.com |ro@novell.com Status|REOPENED |NEW -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223159 ro@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Comment #6 from ro@novell.com 2006-11-29 08:42 MST ------- submitted for post 10.2 (done/STABLE/LATER) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223159 lmuelle@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | ------- Comment #7 from lmuelle@novell.com 2006-11-29 09:56 MST ------- Thorsten: Should we fix this for the 10.1 tree too? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223159 lmuelle@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |NEEDINFO Info Provider| |kukuk@novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223159 ------- Comment #9 from lmuelle@novell.com 2006-11-30 04:55 MST ------- The reason to have this in 10.1 and therefore SLE 10 is: A user tries to use rbash and it doesn't work as expected. The user calls the support. The support department call the support developemnt interface team. This team calls the maintainer of the pwdutils. The alternative is to remove /usr/bin/rbash from /etc/shells. For those customers with modifies /etc/shells the %config in the files section ensures to create a backup. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223159 ro@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED ------- Comment #10 from ro@novell.com 2007-01-26 05:10 MST ------- done for SLES10-SP1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=223159 Dr. Werner Fink <werner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |339073 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com