[ale] how to create user with no password

Bob Toxen bob at verysecurelinux.com
Mon Mar 1 11:34:26 EST 2004


On Sun, Feb 29, 2004 at 08:32:55PM -0500, Michael H. Warfield wrote:
> On Fri, Feb 27, 2004 at 03:29:18PM -0500, James P. Kinney III wrote:
> > On Fri, 2004-02-27 at 10:07, Danny Cox wrote:
> > > James,
> > > 
> > > On Thu, 2004-02-26 at 11:27, James P. Kinney III wrote:
> > > > And while your editing the /etc/passwd file, change the line that reads:
> > > > /bin/bash
> > > > to:
> > > > /bin/false
> > > 
> > > 	Actually, this is dangerous.  It starts a shell, which begins to parse
> > > /bin/false and if you can catch it between the time it starts, and when
> > > it exits with an interrupt, the shell will happily give you a prompt!
> > > 
> > > 	Perhaps bash doesn't do this now, but I'll bet you a purty (I can use
> > > that term, as I was born here) that it will!
> > > 
> > > 	Mr. Toxen, confirmation please?
On the 4 or so different Distros & versions it is an executable.  However,
just do

     /bin/false --help

to realize that it is non-trivial and might not be trustworthy.

"info false" claims

        This version of `false' is implemented as a C program, and is thus
     more secure and faster than a shell script implementation, and may
     safely be used as a dummy shell for the purpose of disabling accounts.

However if "file /bin/false" suggests a script on your system try
/bin/date or /dev/null.

For non-root users I'd not be to worried as if there are no logins or
shell escapes, how does one send it an interrupt?  Watch out for those
shell escapes; most large interactive programs offer them.

> > I think you are correct in this. /bin/false _used_ to be a special "null
> > shell" replacement. In RedHat it exists and and does load a bash shell
> > to run from.

> [mhw at alcove mhw]$ cat /etc/issue
> Red Hat Linux release 7.3 (Valhalla)
> Kernel \r on an \m

> [mhw at alcove mhw]$ file /bin/false
> /bin/false: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped

> [mhw at canyon mhw]$ cat /etc/issue
> Fedora Core release 1 (Yarrow)
> Kernel \r on an \m

> [mhw at canyon mhw]$ file /bin/false
> /bin/false: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped
> [mhw at canyon mhw]$

> 	Use to be true.  May still be true on SCO Unix.  :-)  Hasn't been
> true on any recent versions of RedHat.

> 	That being said, I also agree that using /bin/false is bad practice,
> not because it's a shell script but because it MIGHT be.  Develop a bad
> habit and switch to another OS and get burned.  Use nologin.

> > -- 
> > James P. Kinney III          \Changing the mobile computing world/
> > CEO & Director of Engineering \          one Linux user         /
> > Local Net Solutions,LLC        \           at a time.          /
> > 770-493-8244                    \.___________________________./
> > http://www.localnetsolutions.com
> > 
> > GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> > <jkinney at localnetsolutions.com>
> > Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7

> -- 
>  Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
>   /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
>   NIC whois:  MHW9      |  An optimist believes we live in the best of all
>  PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

Bob Toxen
bob at verysecurelinux.com               [Please use for email to me]
http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.

"Microsoft: Unsafe at any clock speed!"
   -- Bob Toxen 10/03/2002



More information about the Ale mailing list