Newsgroups: gmane.linux.debian.user Date: Mon, 18 Dec 2006 12:10:31 -0500
Newsgroups: gmane.linux.debian.user Date: Mon, 18 Dec 2006 12:10:31 -0500
> Is there any objection against adding /bin/false to the file > /etc/shells? Most notably, are there any security considerations? > > I wish to create a user that can log in to my FTP server, but without > shell access. I can prevent the shell access by specifying /bin/false > as the user shell. But my ProFTPD server will only allow this user to > log in if /bin/false is present in /etc/shells. By default this is not > the case.
You don't even need to have /bin/false in /etc/shells. In fact, you can give the user any binary which is not in /etc/shells and he won't be able to log in. But /bin/false is the usual for users not permitted to login via the shell.
Roberto C. Sanchez
> Is there any objection against adding /bin/false to the file > /etc/shells? Most notably, are there any security considerations?
It's common to use /bin/false for users who can't log in, and that usually includes blocking access to FTP, so it might be a surprise to a future admin who adds a user with a shell of /bin/false to find that this user can actually log in to FTP.
A common technique which is probably better is to set the shell to something like "/bin/ftponly", and either make that a symlink to /bin/false or else just leave it nonexistent. Nobody will be surprised that a user with a shell of "/bin/ftponly" can log in to FTP, and the user still won't be able to log in to a shell.
Scott Gifford