Re: What goes into the security doc?
От | Andrew Dunstan |
---|---|
Тема | Re: What goes into the security doc? |
Дата | |
Msg-id | 002b01c2c3be$68262c90$1a01000a@rduadunstan2 обсуждение исходный текст |
Ответ на | Re: What goes into the security doc? (Robert Treat <xzilla@users.sourceforge.net>) |
Список | pgsql-hackers |
man su says (on Linux): -s, --shell=SHELL run SHELL if /etc/shells allows it Illustration: [adunsta:adunsta]$ su -s /bin/tcsh - -c 'ps -f $$' Password: UID PID PPID C STIME TTY STAT TIME CMD root 10682 10681 0 10:34 pts/0 S 0:00 -tcsh -c ps -f $$ [adunsta:adunsta]$ So setting /bin/true as the login shell prevents real logins but doesn't prevent running commands as the user via su, even from a login shell. andrew ----- Original Message ----- From: "Dan Langille" <dan@langille.org> To: "Christopher Kings-Lynne" <chriskl@familyhealth.com.au> Cc: <pgsql-hackers@postgresql.org> Sent: Friday, January 24, 2003 10:00 AM Subject: Re: [HACKERS] What goes into the security doc? > On 22 Jan 2003 at 13:29, Christopher Kings-Lynne wrote: > > > Recommend always running "initdb -W" and setting all pg_hba entries to md5. > > Thanks. I also encountered this item on IRC: > > [09:26] <fede2> Guys, is there a problem with using /bin/true of > /bin/false as the shell of the postgres user? The docs only says > "adduser postgres" , witch will give postgres a nice shell. > [09:27] <fede2> I'm asking because the guys from Gentoo (thats a > distro FWIW), want to use either /bin/false of /bin/true as postgres' > shell. > [09:27] <dvl> fede2: it means you won't be able to become the > postgres user to run commands. > [09:27] <mmc_> ... to run SHELL commands. > [09:29] <fede2> dvl: Aldo it's not the same, one could use "su -c foo > postgres" to workarround it. > [09:30] <fede2> dvl: I was wondering if it had an even heavier > reason, besides that. > [09:34] <mmc_> fede2: tha manpage of su says, that -c args is treated > by the login shell ! > [09:35] <fede2> mmc_: Hmm.. true. That makes it a heavy enough > reason. Thanks. > [09:35] * fede2 departs > -- > Dan Langille : http://www.langille.org/ > > > ---------------------------(end of broadcast)--------------------------- > TIP 6: Have you searched our list archives? > > http://archives.postgresql.org
В списке pgsql-hackers по дате отправления: