Bug 339073

Summary: rbash not in /etc/shells
Product: [openSUSE] openSUSE 10.3 Reporter: Carlos Robinson <carlos.e.r>
Component: YaST2Assignee: Ruediger Oertel <ro>
Status: RESOLVED WONTFIX QA Contact: E-mail List <qa-bugs>
Severity: Minor    
Priority: P5 - None CC: jsuchome, ro, security-team, tgoettlicher, werner
Version: Final   
Target Milestone: ---   
Hardware: Other   
OS: openSUSE 10.3   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 223159    
Bug Blocks:    

Description Carlos Robinson 2007-11-05 12:23:40 UTC 
First, Yast user management (gnome style) does not offer rbash in the drop list. If I manually type "/bin/rbash", it doesn't work because it is "/usr/bin/rbash" instead. Plus, yast warns that the choosen shell does not exist (when it does) and the user will fail. Ignoring this and creating the new user produces a user that can't run anything: not because the shell is wrong, but because the user gets the wrong path:

PATH=/usr/lib/restricted/bin

When typing any command, I get:

  cer3@nimrodel:~> ls
  -rbash: ls: command not found
  cer3@nimrodel:~> 

/etc/passwd entry is:

cer3:x:2000:100:Carlos E. R. M.,testing user:/home/cer3:/usr/bin/rbash


I file this a security bug because I consider rbash a security feature, and being forced to use a normal shell is a security risk.

This system was updated to 10.3 from 10.2 (boxed set I got as a "present" from you for collaboration with beta testing).
Comment 1 Ludwig Nussel 2007-11-05 12:29:29 UTC 
A restricted shell doesn't make sense without a restricted PATH. That was a problem in previous default configurations. So you need to put a symlink to all commands you want to allow to /usr/lib/restricted/bin yourself now.
Comment 2 Carlos Robinson 2007-11-05 14:17:21 UTC 
Ok... that's just a change, then.

What about Yast saying that the shell is invalid and doesn't exist?

Surely that's a bug. Perhaps you can forward this bugzilla to the Yast folks.
Comment 4 Jiří Suchomel 2007-11-05 21:43:06 UTC 
YaST is _not_ saying that shell you have entered does not exists, it is saying:

"If you select a nonexistent shell, the user may be unable to log in.
Use this shell?"

which is a very different message. It shows that YaST doesn't know that shell. Ludwig, do you know why /bin/rbash is not listed in /etc/shells?
Comment 5 Ludwig Nussel 2007-11-06 08:16:39 UTC 
I don't know. I can't really judge whether it would be a good idea to add it either.
Not having rbash in /etC/shells means that
 - a user cannot use chsh to set the login shell to rbash which means he cannot accidently lock himself into a restricted environment
 - pam_shells will refuse authentication ie a user with rbash cannot authenticate with pure-ftpd or vsftpd.
Comment 6 Jiří Suchomel 2007-11-06 09:43:47 UTC 
Anyway this is not YaST issue, yast2-users relies on the content of /etc/shells.
Comment 7 Dr. Werner Fink 2007-11-06 10:35:23 UTC 
Please remember Jiří­:

 /suse/werner> rpm -qf /etc/shells
 aaa_base-10.3-90
 /suse/werner> maintainer aaa_base
 ro@novell.com

Beside this a restricted shell makes only sence with an restricted PATH
otherwise the user of a restricted shell may escape by executing /bin/bash.
It is on the system adiminstrator to add utilities like /bin/ls by setting
the appropriate symbolic link to /usr/lib/restricted/bin .

IMHO it is also the job of the system adiminstrator to use `useradd' with
the option `-s /usr/bin/rbash' to add a restricted user.  Nevertheless
AFAICS the rbash *is* part of the /etc/shells:

 /suse/werner> grep rbash /etc/shells
 /usr/bin/rbash

... this is the same path as for the 10.2, if YaST does not find the
rbash this is a bug of YaST.
Comment 8 Ludwig Nussel 2007-11-06 10:55:32 UTC 
$ grep rbash /mounts/dist/unpacked/i386.full/etc/shells 
$
Comment 9 Dr. Werner Fink 2007-11-06 11:38:04 UTC 
This bug depends on bug #223159
Comment 10 Ludwig Nussel 2007-11-06 12:27:38 UTC 
so bug 223159 is the reason why rbash is not in /etc/shells on 10.3. Ie a feature, not a bug.