From owner-freebsd-questions@FreeBSD.ORG Sun Mar 1 18:40:19 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 370101065673 for ; Sun, 1 Mar 2009 18:40:19 +0000 (UTC) (envelope-from gfritz@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.176]) by mx1.freebsd.org (Postfix) with ESMTP id 0331D8FC14 for ; Sun, 1 Mar 2009 18:40:18 +0000 (UTC) (envelope-from gfritz@gmail.com) Received: by wa-out-1112.google.com with SMTP id k34so1023361wah.27 for ; Sun, 01 Mar 2009 10:40:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:received:date:from:to:subject :message-id:references:mime-version:content-type:content-disposition :in-reply-to:user-agent; bh=2i1wTAPK7MhEz7BbW3gsXnkqEWVqbrS9GJxXYCQ0VFc=; b=dNQzhzw86MLMm9UeLNmHbZ3fJmwGD888s5VOp3zbHYOyWkGXs3edxpzihA55Tvaht2 Y9Ers9VwjknWDGoQPSAuPmg2UTiTzUs5ZUkLpBsebg9WhO3M07xNbUTiycJoL6vejVSy YIneAzRX79DDrh1rBYpdK9xAgluFinhO89J1s= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; b=r0MYf3amphDN5J2D98MX9p50oUWcKAEQKFd5EZQVaSVu/tdko7WYGhc8nxI9bS88L3 AMNfnH/2tHpymL46pVQKy27dHdTbtsPB0Mo6qpA77XADa3EKksUD8L88ev3Alk5x5lyh puJUDZU4h7FYwFn5pUZooQP0K+R8bjLEav+Gg= Received: by 10.115.75.14 with SMTP id c14mr2251180wal.86.1235932818591; Sun, 01 Mar 2009 10:40:18 -0800 (PST) Received: from dev.null (181-175-174-206.cust.wirelessbeehive.com [206.174.175.181]) by mx.google.com with ESMTPS id a8sm13183189poa.19.2009.03.01.10.40.17 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 01 Mar 2009 10:40:18 -0800 (PST) Received: by dev.null (Postfix, from userid 1002) id 8084A15B7; Sun, 1 Mar 2009 11:40:16 -0700 (MST) Date: Sun, 1 Mar 2009 11:40:16 -0700 From: Geoff Fritz To: Sniper , freebsd-questions@freebsd.org Message-ID: <20090301184016.GA61100@dev.null> References: <20090301161650.GB15344@melon.esperance-linux.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090301161650.GB15344@melon.esperance-linux.co.uk> User-Agent: Mutt/1.5.19 (2009-01-05) Cc: Subject: Re: Root shell X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Mar 2009 18:40:20 -0000 On Sun, Mar 01, 2009 at 04:16:50PM +0000, Frank Shute wrote: > On Sun, Mar 01, 2009 at 03:50:29PM +0100, Sniper wrote: > > > > Hi! > > > > I heard that changing root shell to bash is not good idea, also programing > > in any C shell not applicable. So which shell is the most appropriate for > > root user ? > > > > I changed my root shell to pdksh with no ill-effects. I just copied it > from /usr/local/bin to /bin and added it to /etc/shells. Then vipw. > > pdksh is statically linked and I don't know if bash is. If it's not > you wont be able to use it in single user mode but you can always use > /bin/sh instead. I, too, like pdksh for my root accounts. If I have a system where /usr/local does not share the / device, I will copy it over. There's the WITH_STATIC_BASH knob to make bash a static binary, as well. As noted by someone in the archives, ksh-alikes have issues allocating a tty when used in a jail accessed via jexec, so beware of that. As system shell scripts have their correctly defined #! shell (/bin/sh), it really doesn't matter what you use for an interactive shell so long as you trust the source distribution of that shell (which should be an obvious conclusion, since the FreeBSD team is oly responsible for those shells that come packaged with the base OS). Purists will note that root's choice of shell is of no consequence since nobody should be using the root account for any serious long-term interactive use in the first place. Except for environments where there's an assumed lack of trust in the admins (use sudo), delegation of root-like powers to lesser admins (use sudo), or strict audit/logging requirements (use sudosh or more serious auditing mechanisms), I personally feel that hobbling an admin with a non-root account is of dubious value. In any case, there's no functional reason to not use the shell of your choice. However, individuals or organizations will stronly differ in their admin philosophy. -- Geoff