Re: [HEADSUP] making /bin/sh the default shell for root

Reply: Chris : "Re: [HEADSUP] making /bin/sh the default shell for root"
In reply to: Warner Losh : "Re: [HEADSUP] making /bin/sh the default shell for root"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Marek Zarychta <zarychtam_at_plan-b.pwste.edu.pl>
Date: Wed, 22 Sep 2021 19:26:41 UTC

W dniu 22.09.2021 o 19:46, Warner Losh pisze:
> On Wed, Sep 22, 2021 at 9:35 AM John Baldwin <jhb@freebsd.org> wrote:
> 
>> On 9/22/21 1:36 AM, Baptiste Daroussin wrote:
>>> Hello,
>>>
>>> TL;DR: this is not a proposal to deorbit csh from base!!!
>>>
>>> For years now, csh is the default root shell for FreeBSD, csh can be
>> confusing
>>> as a default shell for many as all other unix like settled on a bourne
>> shell
>>> compatible interactive shell: zsh, bash, or variant of ksh.
>>>
>>> Recently our sh(1) has receive update to make it more user friendly in
>>> interactive mode:
>>> * command completion (thanks pstef@)
>>> * improvement in the emacs mode, to make it behave by default like other
>> shells
>>> * improvement in the vi mode (in particular the vi edit to respect
>> $EDITOR)
>>> * support for history as described by POSIX.
>>>
>>> This makes it a usable shell by default, which is why I would like to
>> propose to
>>> make it the default shell for root starting FreeBSD 14.0-RELEASE (not
>> MFCed)
>>>
>>> If no strong arguments has been raised until October 15th, I will make
>> this
>>> proposal happen.
>>>
>>> Again just in case: THIS IS NOT A PROPOSAL TO REMOVE CSH FROM BASE!
>>
>> I think this is fine.  I would also be fine with either removing 'toor'
>> from the
>> default password file or just leaving it as-is for POLA.  (I would probably
>> prefer removing it outright.)
>>
> 
> I think this is also fine. I also think we should remove toor from the
> default
> password file for one fewer attack surfaces. I strongly prefer this. Users
> that want toor can add it to their system and/or provisioning scripts.
> 
> Warner
> 

I am curious which attacks you are referring to since I have never heard
of attacks on toor account. I have seen a lot of malware attacking root,
admin, nobody, and other accounts, but never toor.

TBH toor might be handy as a backdoor account if you are familiar with
FreeBSD enough to take advantage of it. It can also act as an account of
last resort when someone breaks into your system and changes root
password, wipes ssh keys etc, so it cuts both ways, not even mentioning
 POLA.

The transition from csh to sh as a default root's shell will probably
save some CPU cycles for people using Chef, Ansible, etc thus pushing
FreeBSD toward green computing. Sysadmins bound to csh will be fine
until it remains in the base system and chsh works.

I shouldn't probably post here since I am only a voice from the userbase
but can't help doing so.

Kind regards,
-- 
Marek Zarychta