Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 1 Jun 2021 07:22:17 +0700
From:      Eugene Grosbein <eugen@grosbein.net>
To:        Roger Marquis <marquis@roble.com>, Gordon Tetlow <gordon@tetlows.org>
Cc:        "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Subject:   Re: sysrc bug
Message-ID:  <8ca289b7-2196-f7db-1c7b-a5fcbc2c5cc9@grosbein.net>
In-Reply-To: <s2s2o821-3n23-6811-2020-s172porqps6n@mx.roble.com>
References:  <p1XhdZERaUmjjEr3KeA4_0dCz0OkMIxIfT_4GfVD5KOMCfN-EjrgVNLr-s6eqVpthVvOIJmEdbi9e6gkjgWizVc_Z94TPdjs4eglvRNNP8g=@protonmail.com> <CAKghNw1PYAws6SCCOiFxmcD0mjhjffBuYwwyv2ZR-QQcAn8FBg@mail.gmail.com> <s2s2o821-3n23-6811-2020-s172porqps6n@mx.roble.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
01.06.2021 6:07, Roger Marquis wrote:

>> Also, changing the root shell is bad for many reasons and I'm not
>> surprised that something doesn't work.
> 
> Surprised this old myth is still being repeated.  Having used various
> root shells in FreeBSD and other Unux/Linux systems for decades I have to
> ask specifically what said reasons are, particularly considering
> /usr/sbin/sysrc starts with "#!/bin/sh" (as does and should every system
> shell script).

Original statement was: "one should not change root shell to something like /usr/local/bin/bash"
and/or "one should not change root shell at all" (unless one knows what he does).

There are multiple ways for unexperienced root to breaks things changing its shell:
- vipw allows one to make a misprint typing shell path name rendering root without a shell (so "toor" user was born);
- /usr/local/bin/bash or any other shell residing on file system not mounted in single user mode
and/or requiring libraries residing on not inaccessible file system, including NFS-mounted;
- some historic scripts making assumptions on root shell behaviour etc.

So it is much safer to create distinct non-root user with desired shell and use "su -m"
that raises privileges but keeps user environment intact (HOME, shell, other environment).

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8ca289b7-2196-f7db-1c7b-a5fcbc2c5cc9>