Re: [HEADSUP] making /bin/sh the default shell for root
- In reply to: Marek Zarychta : "Re: [HEADSUP] making /bin/sh the default shell for root"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 22 Sep 2021 21:45:18 UTC
On 2021-09-22 12:26, Marek Zarychta wrote: > W dniu 22.09.2021 o 19:46, Warner Losh pisze: >> On Wed, Sep 22, 2021 at 9:35 AM John Baldwin <jhb@freebsd.org> wrote: >> >>> On 9/22/21 1:36 AM, Baptiste Daroussin wrote: >>>> Hello, >>>> >>>> TL;DR: this is not a proposal to deorbit csh from base!!! >>>> >>>> For years now, csh is the default root shell for FreeBSD, csh can be >>> confusing >>>> as a default shell for many as all other unix like settled on a bourne >>> shell >>>> compatible interactive shell: zsh, bash, or variant of ksh. >>>> >>>> Recently our sh(1) has receive update to make it more user friendly in >>>> interactive mode: >>>> * command completion (thanks pstef@) >>>> * improvement in the emacs mode, to make it behave by default like other >>> shells >>>> * improvement in the vi mode (in particular the vi edit to respect >>> $EDITOR) >>>> * support for history as described by POSIX. >>>> >>>> This makes it a usable shell by default, which is why I would like to >>> propose to >>>> make it the default shell for root starting FreeBSD 14.0-RELEASE (not >>> MFCed) >>>> >>>> If no strong arguments has been raised until October 15th, I will make >>> this >>>> proposal happen. >>>> >>>> Again just in case: THIS IS NOT A PROPOSAL TO REMOVE CSH FROM BASE! >>> >>> I think this is fine. I would also be fine with either removing 'toor' >>> from the >>> default password file or just leaving it as-is for POLA. (I would >>> probably >>> prefer removing it outright.) >>> >> >> I think this is also fine. I also think we should remove toor from the >> default >> password file for one fewer attack surfaces. I strongly prefer this. Users >> that want toor can add it to their system and/or provisioning scripts. >> >> Warner >> > > I am curious which attacks you are referring to since I have never heard > of attacks on toor account. I have seen a lot of malware attacking root, > admin, nobody, and other accounts, but never toor. In the 30 some yrs I've been on UNIX and the likes. I've only ever known ~half a dozen administrators that ever choose toor. Those that want to continue doing so, will not be prevented from continuing to do so. > > TBH toor might be handy as a backdoor account if you are familiar with > FreeBSD enough to take advantage of it. It can also act as an account of > last resort when someone breaks into your system and changes root > password, wipes ssh keys etc, so it cuts both ways, not even mentioning > POLA. TBH this is a non-issue. toor is simply an alias to root. Anyone that has a root hacked system need only spin up the FreeBSD mini iso/img, mount their hacked system && hack back into shape. :-) Props to all the work and proposed changes here. Thanks! :-) --Chris P.S. This is NOT a bike shed. > > The transition from csh to sh as a default root's shell will probably > save some CPU cycles for people using Chef, Ansible, etc thus pushing > FreeBSD toward green computing. Sysadmins bound to csh will be fine > until it remains in the base system and chsh works. > > I shouldn't probably post here since I am only a voice from the userbase > but can't help doing so. > > Kind regards,