To illustrate, consider the need to
prevent the ftp pseudouser from misusing sendmail:
ftp:*:1092:255:File Transfer Protocol Program:/u/ftp:/no/shell
Here, any attempt by ftp to send mail through a program or into a file will fail
because the shell /no/shell is not a valid shell. Such mail will bounce with one of these
two errors:
User ftp@here.us.edu doesn't have a valid shell for mailing to programs
User ftp@here.us.edu doesn't have a valid shell for mailing to files
* Th e/etc/shells file is also used by the ftpd daemon, and by other daemons, to screen users.
?? This is an amalgamation of many vendor lists. See conf.c in the source distribution for details.
This is the Title of the Book, eMatter Edition
Copyright ?© 2007 O??™Reilly & Associates, Inc. All rights reserved.
4.9 Other Security Information | 181
Note that unusual circumstances might require you to allow users with invalid shells
to run programs or deliver to files. To enable this for all such users (as on a mail
server with restricted logins), place the following line directly in the /etc/shells file:
/SENDMAIL/ANY/SHELL/
To enable this for selected users, just replace their shell with a bogus one that is
listed in /etc/shells:
ftp:*:1092:255:File Transfer Protocol Program:/u/ftp:/bogus/shell
We recommend that all pseudousers (such as bin and ftp) be given invalid shells in
the password file and that /SENDMAIL/ANY/SHELL/ never be used.
Pages:
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349