public inbox for [email protected]
help / color / mirror / Atom feedFrom: Andrew Dunstan <[email protected]>
To: [email protected]
Subject: Re: What goes into the security doc?
Date: Fri, 24 Jan 2003 10:36:43 -0500
Message-ID: <002b01c2c3be$68262c90$1a01000a@rduadunstan2> (raw)
References: <1043162191.18529.11.camel@camel>
<3E310ED4.2715.5D39B3DB@localhost>
man su says (on Linux):
-s, --shell=SHELL
run SHELL if /etc/shells allows it
Illustration:
[adunsta:adunsta]$ su -s /bin/tcsh - -c 'ps -f $$'
Password:
UID PID PPID C STIME TTY STAT TIME CMD
root 10682 10681 0 10:34 pts/0 S 0:00 -tcsh -c ps -f $$
[adunsta:adunsta]$
So setting /bin/true as the login shell prevents real logins but doesn't
prevent running commands as the user via su, even from a login shell.
andrew
----- Original Message -----
From: "Dan Langille" <[email protected]>
To: "Christopher Kings-Lynne" <[email protected]>
Cc: <[email protected]>
Sent: Friday, January 24, 2003 10:00 AM
Subject: Re: [HACKERS] What goes into the security doc?
> On 22 Jan 2003 at 13:29, Christopher Kings-Lynne wrote:
>
> > Recommend always running "initdb -W" and setting all pg_hba entries to
md5.
>
> Thanks. I also encountered this item on IRC:
>
> [09:26] <fede2> Guys, is there a problem with using /bin/true of
> /bin/false as the shell of the postgres user? The docs only says
> "adduser postgres" , witch will give postgres a nice shell.
> [09:27] <fede2> I'm asking because the guys from Gentoo (thats a
> distro FWIW), want to use either /bin/false of /bin/true as postgres'
> shell.
> [09:27] <dvl> fede2: it means you won't be able to become the
> postgres user to run commands.
> [09:27] <mmc_> ... to run SHELL commands.
> [09:29] <fede2> dvl: Aldo it's not the same, one could use "su -c foo
> postgres" to workarround it.
> [09:30] <fede2> dvl: I was wondering if it had an even heavier
> reason, besides that.
> [09:34] <mmc_> fede2: tha manpage of su says, that -c args is treated
> by the login shell !
> [09:35] <fede2> mmc_: Hmm.. true. That makes it a heavy enough
> reason. Thanks.
> [09:35] * fede2 departs
> --
> Dan Langille : http://www.langille.org/
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org
view thread (20+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: What goes into the security doc?
In-Reply-To: <002b01c2c3be$68262c90$1a01000a@rduadunstan2>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox