Subject: Re: Being Realistic about the Root Shell
To: None <current-users@netbsd.org>
From: Geir Inge Jensen <Geir.I.Jensen@Runit.Sintef.No>
List: current-users
Date: 03/22/1999 18:00:54
Hi,
It is not hard to find a shell that is more user-friendly than
/bin/sh. However, the use of /bin/sh as a root shell has been
obvious when the more user-friendly shells fails (for some reason).
That was the whole idea with the 'toor' account - you use a user
friendly shell on the root account, and a safe shell that always
works on the other.
I don't like the idea of using a second account with uid 0. I always
delete the 'toor' account, and I always change the root shell to
/bin/sh. That does not mean that I like working in /bin/sh!
I prefer to use ssh when I log into the root account (mostly because
it usually is on a remote machine), and I never uses the 'su' command.
(An added bonus is that you get X11 forwarding). In a large site you
don't want to spread the root password to wildly, so I like to
authenticate persons, not the root password. That's why we use RSA
authentication in ssh.
This is my standard addition to root's .profile. This way I get the
best of both worlds; if the user-friendly shell for some reason fails,
you will end up with /bin/sh. Maybe this script will be useful for
someone else...
=== Addition to /root/.profile ===
# Start the correct shell
case $- in *i*)
# Default root shell
export SHELL=/usr/pkg/bin/zsh
## Check for users
if [ "$LOGNAME" = "" -o "$LOGNAME" = "root" ]; then
if [ -n "${SSH_AUTH_SOCK:-}" ]; then
user=$(/usr/pkg/bin/ssh-add -l | head -1 | cut -d' ' -f4 | cut -d@ -f1)
if [ "$user" != "" ]; then
export LOGNAME=$user
fi
fi
fi
case $LOGNAME in
gij)
export SHELL=/usr/pkg/bin/zsh
;;
trkr)
export SHELL=/usr/pkg/bin/bash
;;
esac
if [ -x "$SHELL" ]; then
# test if it really works
( exec $SHELL </dev/null )
if [ $? -eq 0 ]; then
echo "Starting $SHELL..."
# Should be in cache now
exec $SHELL
fi
fi
# Did not work
echo "The execution of $SHELL failed! Using /bin/sh..."
export SHELL=/bin/sh
esac
=== end ===
Regards,
--
Geir Inge Jensen gij@jk.priv.no
http://www.jk.priv.no/