From owner-freebsd-stable@FreeBSD.ORG Thu Nov 10 14:44:47 2005 Return-Path: X-Original-To: freebsd-stable@FreeBSD.ORG Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A0B1C16A41F for ; Thu, 10 Nov 2005 14:44:47 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 023DD43D45 for ; Thu, 10 Nov 2005 14:44:46 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (gpkdap@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.1/8.13.1) with ESMTP id jAAEiiim010917 for ; Thu, 10 Nov 2005 15:44:45 +0100 (CET) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.1/8.13.1/Submit) id jAAEii8H010916; Thu, 10 Nov 2005 15:44:44 +0100 (CET) (envelope-from olli) Date: Thu, 10 Nov 2005 15:44:44 +0100 (CET) Message-Id: <200511101444.jAAEii8H010916@lurza.secnetix.de> From: Oliver Fromme To: freebsd-stable@FreeBSD.ORG In-Reply-To: <20051110142455.GA33797@pc5-179.lri.fr> X-Newsgroups: list.freebsd-stable User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.11-RELEASE (i386)) Cc: Subject: Re: upgrading 5.4 -> 6.0 without reinstalling. safe ? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-stable@FreeBSD.ORG List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Nov 2005 14:44:47 -0000 Marwan Burelle wrote: > On Thu, Nov 10, 2005 at 02:13:26PM +0100, Oliver Fromme wrote: > > Under some circumstances it can also be useful to have > > an "emergency user" which is not dependant on anything > > outside the base system (i.e. doesn't use anything from > > /usr/local, doesn't have its home on an NFS volume, > > doesn't has its account information on NIS etc.). It > > should be a member of the wheel group so it can do "su". > > In the same idea, I never change root's shell I never change root's login shell either -- because it is never used. > I think also that root should have /rescue/*sh as shell (static > versions) just to be sure ... Well, I vote for /sbin/nologin as root's login shell. In single-user mode, the systems asks for the shell, with /bin/sh being the default. In multi-user mode, nobody should ever log in as root. You rather log in as normal user and then use "su -m", or use sudo(8) or super(1) or whatever. Therefore I think root's login shell has zero meaning, and it should be /sbin/nologin for security reasons (in case you accidentally enabled root login via ssh, or you have set the virtual terminals set to "secure" in /etc/ttys). Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things." -- Doug Gwyn