root shell 2

[gkout]

I recently had a conversation with a colleague about changin root shell. He argued that it is a fundamental knowledge of unix that the root shell should not be changed, due to script compatibilty, libraries etc. We use solaris 9 as a server. I have done several installations in the past and always used korn shell, with no problems. I alwasy compile the software I install and ksh suits me for all the conveniences it provides. I consider ksh the best shell for root and I don't know if this has security implications.
I would like ur opinion on this.
Thnx,
George

 

[SamBones]

I change the root shell to Korn shell for all my systems and I haven't noticed any problems. Any scripts that require a specific shell usually spell it out on the first line (i.e. [tt]#!/bin/sh[/tt]).

That doesn't mean there isn't a problem doing, just that I haven't noticed any problems.

Hope this helps.

 

[coffeysm]

I have heard this argument before and the only thing I can think of why not to change the root shell is if you have /usr on a separate partition. If you notice root's shell on Solaris is most likely /sbin/sh, that is because it is not dynamically linked to anything. If you change the shell and /usr becomes corrupted then you will not have a shell. Other then that I think it is more of an old myth, because certain shells such as C use to be easy to manipulate environment settings or something.

 

[gkout]

Coffeysm u got a point about the corrupt /usr filesystem. But beyond that point I can't think of any more drawbacks.

 

[SamBones]

Very good point coffeysm. But, If your [tt]/usr[/tt] get's corrupted, you're probably going to be booting from the CDROM to resolve it anyway (a lot of things break if [tt]/usr[/tt] goes away). You can still boot to a root shell off the Solaris CDROM because the whole boot environment is coming up from the CDROM.

The fact that [tt]/sbin/sh[/tt] is statically linked and [tt]/bin/ksh[/tt] isn't can be a security concern. If one on the libraries has been "compromised" in some way, there could be a security exposure.

My biggest concern was whether it would break or change the way scripts ran. [tt]root[/tt] is used by most of what takes place in *nix. Even though the Korn shell is backwards compatible with the Bourne shell, there are enough differences to creak some scripts.

Hope this helps.

 

[gkout]

Well, SamBOnes, there is one thing about corruption. If a lib gets to be corrupted then, believe me, the shell is the last thing that will bother you at that time. When corruption happens anywhere in the OS you have already lost the game.

 

[bfitzmai]

I never heard of the myth (I like that analogy Coffeysm) about scripts not running. If you do change the root default shell in /etc/passwd, and you have a failure in /usr, you will also not be able to enter single user mode to try and correct your problem. The way I was taught to changes roots default shell (I use tcsh) is to place entries into root's .profile. You have to set and export entry SHELL and run the shell. This way, if there is a failure in /usr, you will still have the /sbin/sh to fall back on.

 

[gkout]

Interesting opinion bfitzmai, but the issue is how do you set the aliases in the /.profile, if you set up ksh (thats the one I use) in /.profile?

 

[KenCunningham]

In .kshrc perhaps?

 

[bfitzmai]

Ken is correct... In root's .profile you will be starting the ksh shell. It will read root's .kshrc file. When I get to work, I will post the specific entries for the .profile.

 

[bfitzmai]

Gkout,
Here are the entries for the .profile

SHELL=/bin/ksh
export SHELL

ksh

 

[gkout]

I had already setup the .profile to run ksh but not the /.kshrc. Did that too and entered the aliases and PS1 setup in there but it seems that the /.kshrc is not read. Root's home dir is / (haven't done any mods to that - ). I can't remember the order in which the profiles are read from ksh. If .kshrc is read first or the .profile. The thing is that i cant get to have the /.kshrc be read.

 

[Mike042]

I had a quick look at my notes from the Sys Admin 1 course I did some while ago. These are the recommendations.
The login shell for root (in /etc/passwd) should be /sbin/sh for the reasons already stated.
For those people who want Korn shell for root, change/add these files:
In /.profile (permissions = 644) include
ENV=$HOME/.kshrc
SHELL=/bin/ksh
export ENV SHELL
In /.kshrc (permisssions = 644) include the aliases, PS1 setup, etc

For info, the running order for Bourne shell users at login is:
/etc/profile
$HOME/.profile

The running order for Korn shell users at login is:
/etc/profile
$HOME/.profile
$HOME/.kshrc
The running order when an already logged in Korn shell user starts a new process shell is:
$HOME/.kshrc

I hope that helps.

Mike

 

[SamBones]

Root's home dir is / (haven't done any mods to that - )

Since you brought it up, that's the one thing I always change. I set [tt]root[/tt]'s home dir to be [tt]/root[/tt] with the permissions set to 750. It always seemed a security risk to leave [tt]root[/tt]'s home dir ([tt]/[/tt]) readable by anyone on the machine. That lets anyone read [tt]root[/tt]'s [tt].profile[/tt] or [tt].kshrc[/tt]. Information is power

 

[gkout]

Well regarding the /root dir sambones, I think u don't have to create it. U can just change perms on root's profile files (.profile, .kshrc, .cshrc etc). The effect would be the same.

 

[SamBones]

Yeah, but on some systems I end up creating a lot of files and utilities that are only owned and usable by [tt]root[/tt]. I think it keeps the root directory (/) cleaner if these things aren't accumulating there. Also is you ever log in as root to a CDE desktop, use SSH, or a lot of other things, there can be a lot of other directories and files created in [tt]root[/tt]'s home dir. It just seems cleaner and safer if this all ends up in [tt]/root[/tt] rather than [tt]/[/tt].

 

[gkout]

A linux guy i might say?

 

[SamBones]

A Linux guy?!? Me?!? No, I'm a Solaris guy at home and at work. I just don't like a lot of clutter in the root directory.

 

[gkout]

Mike regarding the changes in the /.profile, I just found out today that they don't work. I tried to setup a second box with the shell settings but the /.kshrc is not read. On the 1st box it worked cause I still had the shell pointing to /bin/ksh in /etc/passwd. The settings you have are functional?

 

[Mike042]

Hi gkout,

No, sorry, not functional just theoretical (as stated).
I have just tried it out myself (on Solaris 8) and you are quite right. My sincere apologies. The /.kshrc is not read. SHELL=/bin/ksh , but echo $0 says -sh , so it would appear the notes from the course are misleading (or even wrong). I must admit at our site we do change root's default shell from /sbin/sh to /bin/ksh because we had problems with CDE for root (and in mitigation /usr is not a separate partition).

Apologies once again for incomplete/duff information.

Mike