current-users: Re: Being Realistic about the Root Shell

Subject: Re: Being Realistic about the Root Shell
To: None <current-users@netbsd.org>
From: Geir Inge Jensen <Geir.I.Jensen@Runit.Sintef.No>
List: current-users
Date: 03/22/1999 18:00:54

Hi,

It is not hard to find a shell that is more user-friendly than
/bin/sh. However, the use of /bin/sh as a root shell has been
obvious when the more user-friendly shells fails (for some reason).
That was the whole idea with the 'toor' account - you use a user
friendly shell on the root account, and a safe shell that always
works on the other.

I don't like the idea of using a second account with uid 0. I always
delete the 'toor' account, and I always change the root shell to
/bin/sh. That does not mean that I like working in /bin/sh!

I prefer to use ssh when I log into the root account (mostly because
it usually is on a remote machine), and I never uses the 'su' command. 
(An added bonus is that you get X11 forwarding). In a large site you
don't want to spread the root password to wildly, so I like to
authenticate persons, not the root password. That's why we use RSA
authentication in ssh.

This is my standard addition to root's .profile. This way I get the
best of both worlds; if the user-friendly shell for some reason fails,
you will end up with /bin/sh. Maybe this script will be useful for
someone else...

=== Addition to /root/.profile ===

# Start the correct shell
case $- in *i*)
   # Default root shell
   export SHELL=/usr/pkg/bin/zsh

   ## Check for users
   if [ "$LOGNAME" = "" -o "$LOGNAME" = "root" ]; then
       if [ -n "${SSH_AUTH_SOCK:-}" ]; then
       user=$(/usr/pkg/bin/ssh-add -l | head -1 | cut -d' ' -f4 | cut -d@ -f1)
       if [ "$user" != "" ]; then
         export LOGNAME=$user
       fi
     fi
   fi

   case $LOGNAME in
   gij)
        export SHELL=/usr/pkg/bin/zsh
        ;;
   trkr)
        export SHELL=/usr/pkg/bin/bash
        ;;
   esac

   if [ -x "$SHELL" ]; then
        # test if it really works
        ( exec $SHELL </dev/null )
        if [ $? -eq 0 ]; then
           echo "Starting $SHELL..."
           # Should be in cache now
           exec $SHELL
        fi
   fi
    
   # Did not work
   echo "The execution of $SHELL failed! Using /bin/sh..."
   export SHELL=/bin/sh
esac

=== end ===

Regards,
-- 
Geir Inge Jensen                                    gij@jk.priv.no
                                                    http://www.jk.priv.no/