change shell for root - Debian

This is a discussion on change shell for root - Debian ; Is it save to change the login shell for root? I want a tcsh and trash the bash. Best regards, Stefan...

+ Reply to Thread
Results 1 to 9 of 9

Thread: change shell for root

  1. change shell for root

    Is it save to change the login shell for root?

    I want a tcsh and trash the bash.

    Best regards,

    Stefan

  2. Re: change shell for root

    I think it is safe, but don't remove bash as many scripts depend on it.
    But then, I'm just a rookie mysel and might be talking out of my rear end.

    "Stefan Ollermann" wrote in message
    news:20051210171622.18597a0a.Stefan.Ollermann@gmx. de...
    > Is it save to change the login shell for root?
    >
    > I want a tcsh and trash the bash.
    >
    > Best regards,
    >
    > Stefan




  3. Re: change shell for root

    Lisa Pearlson writes:
    > I think it is safe...


    You are correct, but note that if / and /usr are on different partitions
    root will not be able to log in when /usr is not mounted (i.e., single-user
    mode).

    > ...but don't remove bash as many scripts depend on it.


    Correct again.
    --
    John Hasler

  4. Re: change shell for root

    Stefan Ollermann wrote:
    > Is it save to change the login shell for root?
    > I want a tcsh and trash the bash.


    Changing the login shell for root is hazardous - even if it's
    "supported" or theoretically supported (e.g., I believe Debian is
    supposed to support using any POSIX compliant shell for root ... of
    course it and it's dependencies would also need to exist on the root
    filesystem).

    It's usually best not to muck with root's default login shell. One
    can conveniently switch to another shell once su(1)/sudo(1)ed to root
    (one shouldn't be logging in directly as root, except when it's very
    much required) relatively easily - this is particularly easy on
    Debian, as you also have perl.
    For example, to switch the current root session to the tcsh(1) shell:
    exec perl -e 'exec {'\''/bin/tcsh'\''} '\''-tcsh'\'';'
    And if that's too much to type or paste frequently, you could set it
    up as an alias or command, and invoke it with very few keystrokes.


  5. Re: change shell for root

    Michael Paoli writes:
    > Changing the login shell for root is hazardous - even if it's "supported"
    > or theoretically supported (e.g., I believe Debian is supposed to support
    > using any POSIX compliant shell for root...


    It's perfectly safe to change root's login shell as long as the shell you
    choose is in /bin or /usr/bin is not on a different partion than /bin.
    Scripts don't use root's login shell.

    > For example, to switch the current root session to the tcsh(1) shell:
    > exec perl -e 'exec {'\''/bin/tcsh'\''} '\''-tcsh'\'';' And if that's too
    > much to type or paste frequently, you could set it up as an alias or
    > command, and invoke it with very few keystrokes.


    On the other hand, you could just type 'tcsh -l'.
    --
    John Hasler

  6. Re: change shell for root

    In an earlier post, Michael Paoli postulated:
    > Stefan Ollermann wrote:
    >> Is it save to change the login shell for root?
    >> I want a tcsh and trash the bash.

    >
    > Changing the login shell for root is hazardous - even if it's
    > "supported" or theoretically supported (e.g., I believe Debian is
    > supposed to support using any POSIX compliant shell for root ... of
    > course it and it's dependencies would also need to exist on the root
    > filesystem).
    >
    > It's usually best not to muck with root's default login shell. One
    > can conveniently switch to another shell once su(1)/sudo(1)ed to root
    > (one shouldn't be logging in directly as root, except when it's very
    > much required) relatively easily - this is particularly easy on
    > Debian, as you also have perl.
    > For example, to switch the current root session to the tcsh(1) shell:
    > exec perl -e 'exec {'\''/bin/tcsh'\''} '\''-tcsh'\'';'
    > And if that's too much to type or paste frequently, you could set it
    > up as an alias or command, and invoke it with very few keystrokes.
    >


    As part of my "learning Linux" I always google up relatively simple
    seeming questions that get seemingly complicated replies : sometimes
    there is an easier way I find.

    Q: why cant he just ensure that his shell in /usr or wherever and edit
    the /etc/passwd file?


    http://www.debian-administration.org/articles/231

    --
    "Well it proves one thing Mr. Hooper. It proves that you wealthy college boys
    don't have the education enough to admit when you're wrong.

  7. Re: change shell for root

    On 23 Dec 2005 13:31:46 -0800,
    Michael Paoli wrote:
    >
    >
    > Stefan Ollermann wrote:
    > > Is it save to change the login shell for root?
    > > I want a tcsh and trash the bash.

    >
    > Changing the login shell for root is hazardous - even if it's
    > "supported" or theoretically supported (e.g., I believe Debian is
    > supposed to support using any POSIX compliant shell for root ... of
    > course it and it's dependencies would also need to exist on the root
    > filesystem).
    >
    > It's usually best not to muck with root's default login shell. One
    > can conveniently switch to another shell once su(1)/sudo(1)ed to root
    > (one shouldn't be logging in directly as root, except when it's very
    > much required) relatively easily - this is particularly easy on
    > Debian, as you also have perl.
    > For example, to switch the current root session to the tcsh(1) shell:
    > exec perl -e 'exec {'\''/bin/tcsh'\''} '\''-tcsh'\'';'
    > And if that's too much to type or paste frequently, you could set it
    > up as an alias or command, and invoke it with very few keystrokes.


    While I'm not positive of all of the security implications, I've
    seen boxes that had a second root account 'toor' with uid and gid
    0, with a different shell, usually tcsh, I imagine it could make
    logging a nightmare if they were different users, but if they're
    the same that shouldn't be a problem.

    Iirc most programs/scripts use uid rather than username which may
    be problematic in some circumstances.

    Michael C.
    --
    mcsuper5@usol.com http://mcsuper5.freeshell.org/

    Programming today is a race between software engineers striving
    to build bigger and better idiot-proof programs, and the
    Universe trying to produce bigger and better idiots. So far, the
    Universe is winning. -- Rich Cook

  8. Re: change shell for root

    John Hasler wrote:
    > It's perfectly safe to change root's login shell as long as the shell you
    > choose is in /bin or /usr/bin is not on a different partion than /bin.
    > Scripts don't use root's login shell.


    Oh? How about a counter example:
    # echo /bin/sync >>/etc/shells
    # chsh /bin/sync root
    That would be quite problematic when for some reason only root was
    allowed to login and only from the console.
    Even if one argues "But wait, that's not a shell!", things could still
    be problematic. Various programs/utilities may expect doing something
    like:
    su root -c some_argument
    would have some_argument interpreted by some POSIX compliant shell.
    Various other nastiness is also possible. E.g. let's say one changes
    root's shell to /usr/bin/tcsh. The priority of tcsh is only
    "standard". Such packages can be removed through quite ordinary means
    (e.g. dpkg --remove tcsh). The consequences in such a case wouldn't
    be particularly pleasant.

    There are probably lots of other reasons and examples why changing
    root's shell is, in general, not a good idea, but those are at least
    a couple quick examples.

    Also, for UNIX, BSD, etc., changing root's shell can be even more
    problematic, ... so in general, changing root's shell is not a habit
    one should get into.


  9. Re: multiple UID 0 login accounts (was change shell for root)

    Michael C. wrote:
    > While I'm not positive of all of the security implications, I've
    > seen boxes that had a second root account 'toor' with uid and gid
    > 0, with a different shell, usually tcsh, I imagine it could make
    > logging a nightmare if they were different users, but if they're
    > the same that shouldn't be a problem.
    >
    > Iirc most programs/scripts use uid rather than username which may
    > be problematic in some circumstances.


    Multiple UID 0 login accounts is generally a bad idea security-wise.

    In general, for security,

    o To the extent feasible, one should never log in directly as
    superuser (root). E.g. use sudo from one's individual personal
    login account. Rationale includes auditing/logging and individual
    accountability, control and minimal distribution/use of superuser
    (root) password(s), etc.
    o Don't have multiple superuser (UID 0) accounts. Rationale includes
    auditing/logging (unique UID <--> login name mapping), control and
    minimal distribution/use of superuser (root) password(s), etc.

    Followup-to: adjusted and Subject: updated


+ Reply to Thread