CentOS - May 2009 - Changing a user's shell on CentOS Directory Server?

Should unprivileged users be able to change their shell with lchsh on
5.3 and, if it matters, CentOS Directory Server?  lchsh seems to
require more open permissions than those which come with a default
installation:

     Error initializing libuser: could not open configuration file
`/etc/default/useradd': Permission denied.

Matt

On Sun, May 31, 2009, Matt Harrington wrote:
>Should unprivileged users be able to change their shell with lchsh on
>5.3 and, if it matters, CentOS Directory Server?  lchsh seems to
>require more open permissions than those which come with a default
>installation:
Personally I would not permit uses to change their shells, but
require appropriate admin privileges.  I have seen systems hacks
made via webmin or usermin where the user's shell was changed
from /bin/false to /bin/bash, then the account used to install
user-level bots that definately should not have been there.

Most of our customers are regional ISPs or small-to-medium
businesses where most user accounts have /bin/false as their
shells as the average user has no need for shell access.  Any
user who wants real shell access needs to ask specifically for
it, and, in the case of the ISPs, be known to the ISP as somebody
who isn't going to abuse or misuse the account, intentionally or
through simple ignorance.

Bill
-- 
INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:          (206) 236-1676  Mercer Island, WA 98040-0820
Fax:            (206) 232-9186  Skype: jwccsllc (206) 855-5792

Democracy Is Mob Rule with Income Taxes

Matt Harrington wrote:
> Should unprivileged users be able to change their shell with lchsh on
> 5.3 and, if it matters, CentOS Directory Server?  lchsh seems to
> require more open permissions than those which come with a default
> installation:
> 
>      Error initializing libuser: could not open configuration file
> `/etc/default/useradd': Permission denied.
lchsh and lchfn aren't setuid root on CentOS/RHEL systems, so they
cannot open this file. I have no idea if this is intentional, a
discussion on upstream's bugzilla -
<https://bugzilla.redhat.com/show_bug.cgi?id=125611> - advises against
that.

You should open a bug on bugzilla.redhat.com against either libuser
(where lchsh comes from) or against shadow-utils to make the useradd
file readable for others at least.

It would be nice if you could tell us the bugzilla ID here, then.

Cheers,

Ralph
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL:
<http://lists.centos.org/pipermail/centos/attachments/20090602/2e40d7c1/attachment-0001.sig>