Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 16 Dec 2004 10:12:40 -0600
From:      Paul Schmehl <pauls@utdallas.edu>
To:        freebsd-questions@FreeBSD.org
Subject:   Re: Why reccomend Bash shell?
Message-ID:  <0A2B2390CE654BA6B5F8E621@utd49554.utdallas.edu>
In-Reply-To: <41C16D47.7030302@infracaninophile.co.uk>
References:  <005a01c4e31c$efc4d460$0200a8c0@PANASONIULSWMR> <41C16D47.7030302@infracaninophile.co.uk>

next in thread | previous in thread | raw e-mail | index | archive | help
--On Thursday, December 16, 2004 11:11:03 AM +0000 Matthew Seaman 
<m.seaman@infracaninophile.co.uk> wrote:
>
> On point that no one has mentioned on this list yet is that it is a good
> idea to have root's shell be entirely contained on the root partition of
> the system -- ie. not just the executable, but any shlibs it requires as
> well.  There's been a thread over on freebsd-ports@... about ppp(8)
> apparently failing because of problems linking libintl -- which actually
> turned out to be because root's shell had been changed to bash(1).
>
I'm curious to know why you would change root's shell to bash.  You can 
change shells at the cli easily.  What's one more command before you start 
working?
>
> On the other hand, I take the view that the less done by the super user
> the better, and discourage myself to use sudo(1) preferentially and to
> keep su(1) sessions as short as possible by making root's shell as
> /unfriendly/ as possible.
>
Is this a religious argument?  Or is there a sound security basis for it?

I ask because I'm not sure I see the difference.  I prefer to leave sudo 
set up to prompt for a password.  This at least reminds you that what 
you're doing is "root's" work (and if you screw up, you could do "bad" 
things.)  If I'm going to do a lot of work, I just su - to root, do the 
work and then get out.  I don't allow remote root access, so I'm wondering 
- am I exposing my systems to some unnecessary risk?  Or is this just a 
matter of personal preference?

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0A2B2390CE654BA6B5F8E621>