HPE Community
Operating System - HP-UX
1751698 Members
5005 Online
108781 Solutions
New Discussion юеВ

Illegal Login Shell

 
SOLVED
Go to solution
Nobody's Hero
Valued Contributor

тАО06-07-2006 12:48 AM

тАО06-07-2006 12:48 AM

Illegal Login Shell

I am getting nailed on a security audit for accounts with invalid shells.

example.

userid 11111 /bin/ksh
userid 22222 /bin/ksh

I thought that /bin/ksh is the standard login shell. Or is it because I need an entry in /etc/shells to reflect /bin/ksh as being valid?
UNIX IS GOOD
0 Kudos
Reply
4 REPLIES 4
Peter Godron
Honored Contributor

тАО06-07-2006 12:56 AM

тАО06-07-2006 12:56 AM

Re: Illegal Login Shell

Robert,
see man ksh for more details, but I think the correct path is /usr/bin/ksh
Reply
Robert-Jan Goossens
Honored Contributor

тАО06-07-2006 12:58 AM

тАО06-07-2006 12:58 AM

Re: Illegal Login Shell

Hi Robert,

I think you are correct, you could also change the korn-shell from /bin/ksh to /usr/bin/ksh.

Both shells are dynamically linked.

Regards,
Robert-Jan
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО06-07-2006 01:00 AM

тАО06-07-2006 01:00 AM

Solution

Re: Illegal Login Shell

Hi Robert:

Well, on HP-UX, the '/bin' directory is a symbolic link to '/usr/bin'.

In reality, '/bin' and '/lib' (which is a symbolic link to '/usr/bin'), among others are "transition" links dating to the time the filesystem layout was redrafted at the advent of HP-UX 10.0.

Transition links are *deprecated* and will (probably) *disappear* in 11iv3 (11.31).

The original white paper describing the filesystem changes appears here:

http://www.docs.hp.com/en/5963-8942/5963-8942.pdf

Transition links have a permission pattern that has a "t" as if the sticky bit were set:

# ls -ld /bin
lr-xr-xr-t 1 root sys 8 Aug 20 1997 /bin -> /usr/bin

This "t" indicates a transition link.

Regards!

...JRF...
Reply
doug hosking
Esteemed Contributor

тАО06-08-2006 12:58 PM

тАО06-08-2006 12:58 PM

Re: Illegal Login Shell

Yes, /bin is a link to /usr/bin on some releases, but not all software is smart enough to know that, if it's just doing a string compare against the list of paths in /etc/shells, for example. I've found it less troublesome in some cases to include both the /bin version and the /usr/bin version of the shell path in /etc/shells for whatever list of shells you care about.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.