For consistency, all the users that have the POSIX shell /bin/sh should be changed to /usr/bin/sh. This is the default shell location. As mentioned. /bin/sh does not exist! Instead, it is a link to the 'real' location and may go away someday (although that has been said for almost 10 years now). The industry standard for SysV V.4 filesystem layout removes the old /bin and /lib directories and moves them to /usr/bin and /usr/lib respectively.
Since /sbin/sh is statically linked, the executables will not use shared libraries, thus increasing the amount of RAM for each /sbin/sh instance. Not a lot of RAM but for dozens to hundreds of users, this might be somewhat important.
And as mentioned, /sbin/sh size looks very wrong. Perhaps it has been hacked. Use the file command to look at it:
# file /sbin/sh
/sbin/sh: PA-RISC1.1 shared executable
# file /usr/bin/sh
/usr/bin/sh: PA-RISC1.1 shared executable dynamically linked
The "dynamically linked" indicates that this program uses shared libraries. I would NOT trust /sbin/sh, especially because it had 777 permissions. Any file or directory with 777 is a huge security risk and you cannot trust the contents of those files or directories. Get a clean version of /usr/bin/sh from another machine or patch the POSIX shell to the latest version and you'll get new executables. I would perform a security check for world-writable permissions, expecially in /sbin and /usr/bin:
find /sbin /usr/bin -perm -002 -exec ll {} \;
This command MUST return nothing. If it shows and files or directories, they must be assumed to be corrupt and either an intruder or a very bad sysadmin has messed with your system. I would also include /etc in the list to be scanned.
Bill Hassell, sysadmin
