Root shell

Hi!

I heard that changing root shell to bash is not good idea, also programing
in any C shell not applicable. So which shell is the most appropriate for
root user ?


Regards,

Jurif
_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."

On Sun, Mar 1, 2009 at 9:50 AM, Sniper <kkiller@...> wrote:
> Hi!
>
> I heard that changing root shell to bash is not good idea, also programing
> in any C shell not applicable. So which shell is the most appropriate for
> root user ?
>

/bin/csh

--
Glen Barber
_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."

Why is this not a good idea? The only reason I can think of it that you
want your root shell on the root hard drive. As many system use a
separate partition for /usr and that bash installs to /usr/local/bin per
default I can see how that can cause troubles. But are there any other
reasons? Unstability in bash? Unexpected behaivor causing more harm in a
root shell?

On Sun, Mar 01, 2009 at 03:50:29PM +0100, Sniper wrote:
> I heard that changing root shell to bash is not good idea
_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."

On Sun, Mar 1, 2009 at 10:55 AM, Daniel Lannstrom <op@...> wrote:
> Why is this not a good idea? The only reason I can think of it that you
> want your root shell on the root hard drive. As many system use a
> separate partition for /usr and that bash installs to /usr/local/bin per
> default I can see how that can cause troubles. But are there any other
> reasons? Unstability in bash? Unexpected behaivor causing more harm in a
> root shell?
>

This explains one of the reasons not to change root's shell:

http://www.freebsd.org/doc/en/books/faq/security.html#TOOR-ACCOUNT


--
Glen Barber
_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."

On Sun, Mar 01, 2009 at 03:50:29PM +0100, Sniper wrote:
>
> Hi!
>
> I heard that changing root shell to bash is not good idea, also programing
> in any C shell not applicable. So which shell is the most appropriate for
> root user ?
>

I changed my root shell to pdksh with no ill-effects. I just copied it
from /usr/local/bin to /bin and added it to /etc/shells. Then vipw.

pdksh is statically linked and I don't know if bash is. If it's not
you wont be able to use it in single user mode but you can always use
/bin/sh instead.

Another option is to use the toor account rather than messing around
with root.

I think programming with csh is deprecated nowadays - a shell guru
could tell you if that's true.

Regards,

--

 Frank


 Contact info: http://www.shute.org.uk/misc/contact.html 

_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."

Frank Shute wrote:
 
> I think programming with csh is deprecated nowadays - a shell guru
> could tell you if that's true.

Sure csh is deprecated for programming, and has been for a long time[*].
But this is not about shell programming.  It's about what interactive shell
root should have. That's a very different thing, and [t]csh is just fine
for interactive use.

        Cheers,

        Matthew

[*] Anyone with any sense will write posix compliant scripts using /bin/sh
for maximum portability.

--
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW

On Sun, Mar 01, 2009 at 11:11:56AM -0500, Glen Barber wrote:
> This explains one of the reasons not to change root's shell:
>
> http://www.freebsd.org/doc/en/books/faq/security.html#TOOR-ACCOUNT

Yes that's exactly what I meant. Is there any other reason except for
that? As I see it that problem can easily be solved by copying bash to
the root file system. Also many systems today have the root and /usr
on the same file system.
_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."

On Sun, Mar 1, 2009 at 11:43 AM, Daniel Lannstrom <op@...> wrote:
> On Sun, Mar 01, 2009 at 11:11:56AM -0500, Glen Barber wrote:
>> This explains one of the reasons not to change root's shell:
>>
>> http://www.freebsd.org/doc/en/books/faq/security.html#TOOR-ACCOUNT
>
> Yes that's exactly what I meant. Is there any other reason except for
> that? As I see it that problem can easily be solved by copying bash to
> the root file system. Also many systems today have the root and /usr
> on the same file system.

You'd have to also copy more than just the binary file.  It's more
complex than that, and generally is a Bad Idea(tm).

--
Glen Barber
_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."

> I heard that changing root shell to bash is not good idea

from whom?

use what you like the most.

>, also programing
> in any C shell not applicable. So which shell is the most appropriate for
> root user ?

anything you like.
_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."

> Why is this not a good idea? The only reason I can think of it that you
> want your root shell on the root hard drive. As many system use a
> separate partition for /usr and that bash installs to /usr/local/bin per

yes it may be a reason, but there is always /rescue directory.

and - at least me - prefer to have as little partition as possible to not
make things complicated.

most cases swap+/
_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."

On Sun, 1 Mar 2009 16:16:50 +0000
Frank Shute <frank@...> wrote:


> pdksh is statically linked and I don't know if bash is.

It's a build option.
_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."

On Sun, Mar 01, 2009 at 04:16:50PM +0000, Frank Shute wrote:
I, too, like pdksh for my root accounts.  If I have a system where
/usr/local does not share the / device, I will copy it over.  There's the
WITH_STATIC_BASH knob to make bash a static binary, as well.  As noted by
someone in the archives, ksh-alikes have issues allocating a tty when used
in a jail accessed via jexec, so beware of that.

As system shell scripts have their correctly defined #! shell (/bin/sh), it
really doesn't matter what you use for an interactive shell so long as you
trust the source distribution of that shell (which should be an obvious
conclusion, since the FreeBSD team is oly responsible for those shells that
come packaged with the base OS).

Purists will note that root's choice of shell is of no consequence since
nobody should be using the root account for any serious long-term
interactive use in the first place.  Except for environments where there's
an assumed lack of trust in the admins (use sudo), delegation of root-like
powers to lesser admins (use sudo), or strict audit/logging requirements
(use sudosh or more serious auditing mechanisms), I personally feel that
hobbling an admin with a non-root account is of dubious value.

In any case, there's no functional reason to not use the shell of your
choice.  However, individuals or organizations will stronly differ in their
admin philosophy.

-- Geoff
_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."

On Sun, Mar 01, 2009 at 03:50:29PM +0100, Sniper wrote:

> Hi!
>
> I heard that changing root shell to bash is not good idea, also programing
> in any C shell not applicable. So which shell is the most appropriate for
> root user ?

You can get your tail in a crack if you boot to single user or another
file system like /usr  is not available.    /bin/csh   (which on FreeBSD
is the same as tcsh)  is always available and a few things are written
so they expect it.

So, leave root alone.  
If you must lower yourself to bash, make another account and set its
shell to bash.   You can even make an alternate root and make it bash
if you really must work in root.   USe vipw  and copy the toor line
in the passwd file and change the name to something you like and the shell
to bash and the home directory to /root/whatever.
Then set the password for this account
As root do:
  passwd whatever

follow prompts.

You must put the id name on the passwd command or it will change root instead.

I am not necessarily recommending all this, but it is better tham
changing the actual root account's shell.

////jerry


>
>
> Regards,
>
> Jurif
> _______________________________________________
> freebsd-questions@... mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."
_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."

On Sun, 1 Mar 2009 13:51:32 -0500
Jerry McAllister <jerrymc@...> wrote:

> I am not necessarily recommending all this, but it is better tham
> changing the actual root account's shell.
>
besides, you don't really need to, do you?
i just log in with su -m and get to use my own account's aliases etc,
but as root.

--
In friendship,
prad

                                      ... with you on your journey
Towards Freedom
http://www.towardsfreedom.com (website)
Information, Inspiration, Imagination - truly a site for soaring I's
_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."

On Sun, 1 Mar 2009 17:43:55 +0100, Daniel Lannstrom <op@...> wrote:
> On Sun, Mar 01, 2009 at 11:11:56AM -0500, Glen Barber wrote:
> > This explains one of the reasons not to change root's shell:
> >
> > http://www.freebsd.org/doc/en/books/faq/security.html#TOOR-ACCOUNT
>
> Yes that's exactly what I meant. Is there any other reason except for
> that? As I see it that problem can easily be solved by copying bash to
> the root file system. Also many systems today have the root and /usr
> on the same file system.

I wouldn't rely on the "many systems today" assumption.

As an addition, I'd like to mention that there are "two root shells":
First is the system's standard scripting shell /bin/sh which is
usually invoked first when entering maintenance mode (single user
mode). As well as FreeBSD's standard dialog shell /bin/csh it resides
on the / partition.

Maybe it can be seen as an "unwritten law", or at least as a kind
of well intended suggestion to use /bin/csh for root's dialog shell
as well as /bin/sh for scripting. It may be considered "old fashion",
but it has served well to follow this suggestion over the years.

Just as a very individual example, I haven't found any need to
install BASH on any system I've done so far. But it's completely
okay to have BASH as a user's dialog shell when the system is up
and running well.

Furthermore, I don't think copying the bash* binary is sufficient
to have BASH in SUM in a problem situation (which is: / is mounted
ro, nothing else mounted). Reason:

        % which bash | xargs ldd
        /usr/local/bin/bash:
                libncurses.so.7 => /lib/libncurses.so.7 (0x280ff000)
                libintl.so.8 => /usr/local/lib/libintl.so.8 (0x2813d000)
                libiconv.so.3 => /usr/local/lib/libiconv.so.3 (0x28146000)
                libc.so.7 => /lib/libc.so.7 (0x2823b000)

There are library dependencies on /usr partition.



--
Polytropon
>From Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."

On Sun, 1 Mar 2009 11:21:54 -0800, prad <prad@...> wrote:
> besides, you don't really need to, do you?
> i just log in with su -m and get to use my own account's aliases etc,
> but as root.

Furthermore, since the introduction of the sudo command (which
is installabe by ports / package) prefixing commands with "sudo"
seems to be okay for most tasks.

And as you said, Prad, using FreeBSD's su command (su -m) will
usually do just fine.

Another "wisdom" about this topic: "If you see that you're spending
so much time as 'root' that you feel you need to change the root
shell to BASH, you're obviously doing something wrong." :-)




--
Polytropon
>From Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."

RW-15 wrote:

On Sun, 1 Mar 2009 16:16:50 +0000
Frank Shute <frank@shute.org.uk> wrote:

> pdksh is statically linked and I don't know if bash is.

It's a build option.

Seems root should have a static shell always... otherwise, all bets are off as some of the shared libs may be inaccessible or damaged. So long as bash is statically linked and properly located, there should not be an issue. But most folks (linux users) aren't aware of the implications of dynamic linking and such. So it's probably best to 'just say no' to the OP's question. Leave root's shell alone unless you know what you're doing and bash is built appropriately.

On Mon, Mar 02, 2009 at 09:55:39AM -0800, new_guy wrote:

Well put.

////jerry

>
> --
> View this message in context: http://www.nabble.com/Root-shell-tp22274005p22293187.html
> Sent from the freebsd-questions mailing list archive at Nabble.com.
>
> _______________________________________________
> freebsd-questions@... mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."
_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."

On Sunday 01 March 2009 07:47:44 Glen Barber wrote:
True, that's why ports respect PREFIX.

> It's more
> complex than that, and generally is a Bad Idea(tm).

FUD. Just use:
make -C /usr/ports/shells/bash -DWITH_STATIC_BASH PREFIX=/

(or PREFIX=/opt or PREFIX=/static or whatever, just as long as it resides on
the root partition).

If something isn't working that should work (f.e. rc.d scripts), it's easy to
chsh -s /bin/csh, relog and see if it works then. I've seen one case where a
startup script didn't work because root shell was zsh. Judging from that
case, zsh thought it was running interactively or PROMPTS set in .zlogin
rather then .zshrc and various tty related commands screwed things up. Also,
zsh is more aggressive on correcting command line arguments. All this
ammounts to "know your shell" which is an argument *for* changing root's
shell to something you're familiar with, rather leaving it at csh out of
unfounded paranoia.
--
Mel

Problem with today's modular software: they start with the modules
    and never get to the software part.
_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."