Thanks to: Brett Monroe, Casper Dik, topher, John Timon, Rich Teer, Crist Clark, Michael Peppard, Debbie Tropiano... All agreed that root's shell should not be change, ie. if the system reboot and needs fsck or single user mode, you'll have to boot into cdrom --too much of a hassle. Casper and Crist both mentioned that and changing root's shell will not prevent the exploit because it's executable w/in sendmail, dns, etc. and not user's shell. One mentioned that passwd -l might be safer than changing root's shell. One mentioned using qmail and dnscache, of course there's also postfix, but it's a major overhaul moving to a different mail software... Leaving root's shell alone for now and just keeps patching away. - Mike ---------- original message ---------- Maybe I'm not thinking right today or overlook something simple, but... Anyone implementing root's shell to be /bin/false? Since most of us here at work do sudo, and with so many bugs/patches required for sendmail, DNS, and the likes, I can't keep up in a timely manner. I was just wondering if anyone decided to have root shell as /bin/false --ie. easy enough to boot the system via cdrom and recover, edit root's entry should it be necessary. ...or maybe another shell not sure if anything will be broken/requires for root's shell to be /sbin/sh or not. Note, shell changes only, I'm not suggesting passwd -l the account; but then no one needs to login as root in the first place. Thanks. - Mike [ In addition to www.sunfreeware.com more packages at ftp.patriots.net ] ----- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin, Historical Review of Pennsylvania. _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Tue Apr 1 15:05:44 2003
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:08 EST