From: Golden_Eternity [bhodi@bigfoot.com]
Sent: Monday, April 23, 2001 12:08 PM
To: 'BUGTRAQ@securityfocus.com'
Subject: Non-user accounts assigned shell by default - Red Hat 6.1-7.0,
et al.

SEVERITY: Low
AFFECTED VERSIONS: Confirmed on Red Hat 6.1, 6.2 and 7.0 


DESCRIPTION:
The default installation does not assign a shell for most non-user accounts 
(e.g. nobody, bin). If no shell is specified for an account, the shell 
defaults to /bin/sh.

On its own, this does not pose a significant threat. However, very few of 
these accounts require a shell, so there is no reason to grant this extra 
privilege. This may violate security policies for granting the minimum 
privileges necessary to accomplish a task.

Additionally, the default installation of /etc/shells does not contain a 
shell such as /bin/false which would deny login.

Red Hat was contacted about this in June 2000 and has elected not to fix 
this problem at this time.

http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=12409


SOLUTION:
The solution would be to assign these accounts a false shell which will 
not permit login, such as /bin/false. This shell could be added to /etc/shells 
for use with chsh.


DEMONSTRATION:
[root@roto-router /root]# grep "nobody" /etc/passwd
nobody:x:99:99:Nobody:/:
[root@roto-router /root]# su nobody
bash$

[root@roto-router /root]# grep "xfs" /etc/passwd
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
[root@roto-router /root]# su xfs
[root@roto-router /root]#

---
I apologize if this is not considered a significant enough issue to post 
to bugtraq. I debated posting for a while and eventually decided that if 
it isn't, the moderator will kill it. ;)

Since some administrators may not be aware that there is a default shell 
for unix/linux accounts, I felt this information could be useful.

Updates to this warning can be found at http://www.bhodisoft.com/Sec/