Menu
▾
▴
Re: [Proftpd-user] RequireValidShell
|
From: Calyth <ca...@sh...> - 2001-11-14 20:28:25
|
The Flying Hamster wrote: > On Wed, Nov 14, 2001 at 10:29:16AM +0100, Tom Fischer wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Hi, > > > > is RequireValidShell decreasing security for some reason? If not, what is the > > reason to configure it extra? > > In theory having "RequireValidShell yes" will make the server slightly > more secure _if_ /etc/shells has a limited number of entries (ie a > tight overall server policy) in itself it makes no difference. What > it gives is a method for bypassing the system level security limits. > Given I tend to ensure that all ftp users have a null shell (/bin/true > or similar) it's not a major issue generally for me. > Wouldn't one argue that by disabling valid shell, one could allow ftp access to some without allowing shell access on the computer itself? I run ssh and proftpd, and I turn RequireValidShell off so that some of the ftp users don't get to use the shell because I change their shell to a fakeshell. Calyth |