From owner-freebsd-questions@FreeBSD.ORG Thu Dec 16 16:12:41 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 935D116A4CE for ; Thu, 16 Dec 2004 16:12:41 +0000 (GMT) Received: from smtp1.utdallas.edu (smtp1.utdallas.edu [129.110.10.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 231F043D5A for ; Thu, 16 Dec 2004 16:12:41 +0000 (GMT) (envelope-from pauls@utdallas.edu) Received: from utd49554 (utd49554.utdallas.edu [129.110.3.85]) by smtp1.utdallas.edu (Postfix) with ESMTP id 7EDBF388DEB for ; Thu, 16 Dec 2004 10:12:40 -0600 (CST) Date: Thu, 16 Dec 2004 10:12:40 -0600 From: Paul Schmehl To: freebsd-questions@FreeBSD.org Message-ID: <0A2B2390CE654BA6B5F8E621@utd49554.utdallas.edu> In-Reply-To: <41C16D47.7030302@infracaninophile.co.uk> References: <005a01c4e31c$efc4d460$0200a8c0@PANASONIULSWMR> <41C16D47.7030302@infracaninophile.co.uk> X-Mailer: Mulberry/3.1.6 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Re: Why reccomend Bash shell? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Paul Schmehl List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Dec 2004 16:12:41 -0000 --On Thursday, December 16, 2004 11:11:03 AM +0000 Matthew Seaman wrote: > > On point that no one has mentioned on this list yet is that it is a good > idea to have root's shell be entirely contained on the root partition of > the system -- ie. not just the executable, but any shlibs it requires as > well. There's been a thread over on freebsd-ports@... about ppp(8) > apparently failing because of problems linking libintl -- which actually > turned out to be because root's shell had been changed to bash(1). > I'm curious to know why you would change root's shell to bash. You can change shells at the cli easily. What's one more command before you start working? > > On the other hand, I take the view that the less done by the super user > the better, and discourage myself to use sudo(1) preferentially and to > keep su(1) sessions as short as possible by making root's shell as > /unfriendly/ as possible. > Is this a religious argument? Or is there a sound security basis for it? I ask because I'm not sure I see the difference. I prefer to leave sudo set up to prompt for a password. This at least reminds you that what you're doing is "root's" work (and if you screw up, you could do "bad" things.) If I'm going to do a lot of work, I just su - to root, do the work and then get out. I don't allow remote root access, so I'm wondering - am I exposing my systems to some unnecessary risk? Or is this just a matter of personal preference? Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu