On Thu, Jul 21, 2011 at 7:24 PM, David Chapman <dcchapman_at_acm.org> wrote:
> On 7/21/2011 4:00 PM, Daniel Neuberger wrote:
>> On Thu, Jul 21, 2011 at 2:13 PM, Nico Kadel-Garcia<nkadel_at_gmail.com>
>>> Don't give the shared "svn" user a valid shell!!!! If an administrator
>>> needs to run operations as that user, to manipulate config files or
>>> create new repositories, they can do "sudo -s -H -u svn" to get a
>>> valid shell as the administrative user. Sudo can even be configured to
>>> allow designated users such administrative access without requing
>>> local root privileges at all.
>> Hmm, why didn't I think of that? It doesn't seem to work though.
>> Setting the shell to /bin/nologin or even just fakeshell breaks
>> everything. Is there another way to give an invalid shell?
> How about /bin/false? This is the "shell" defined for all of the non-login
> (e.g. daemon) accounts on my machines.
Depends on local system requirements. "/sbin//nologin" is common for
system accounts, such as "www-data" and "named" on UNIX and Linux
ystems, that don't need root access nor a valid user shell. It can
even be listed in /etc/shells as a valid shell to permit certain
oddball authentication setups to work well.
Received on 2011-07-22 01:54:35 CEST