New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

system: manually select user login shell #2154

Closed
fichtner opened this Issue Feb 1, 2018 · 1 comment

Comments

Projects
None yet
1 participant
@fichtner
Member

fichtner commented Feb 1, 2018

@fichtner fichtner added the feature label Feb 1, 2018

@fichtner fichtner added this to the 18.7 milestone Feb 1, 2018

@fichtner fichtner self-assigned this Feb 1, 2018

fichtner added a commit that referenced this issue Feb 4, 2018

system: remove the user-shell-access privilege #2154
Eventually, the two remaining user privileges should be killed
as well in favour of similar approaches.  The ACL should be for
page access, not more, not less.
@fichtner

This comment has been minimized.

Show comment
Hide comment
@fichtner

fichtner Feb 4, 2018

Member

@Mausy5043 as discussed know good shells (now that includes bash, zsh and scponly) are preserved in /etc/shells upon reboot. Furthermore, you can select a login shell for each user separately and the old "shell access" privilege is scheduled for removal in 18.7.

We lose a little bit of flexibility, but shell access is delicate as discussed in a similar forum thread regarding piggybacked SFTP access, see https://forum.opnsense.org/index.php?topic=6994.15

Not entirely sure this is robust enough for 18.1.x yet so keeping this open for tweaking and feedback. :)

Member

fichtner commented Feb 4, 2018

@Mausy5043 as discussed know good shells (now that includes bash, zsh and scponly) are preserved in /etc/shells upon reboot. Furthermore, you can select a login shell for each user separately and the old "shell access" privilege is scheduled for removal in 18.7.

We lose a little bit of flexibility, but shell access is delicate as discussed in a similar forum thread regarding piggybacked SFTP access, see https://forum.opnsense.org/index.php?topic=6994.15

Not entirely sure this is robust enough for 18.1.x yet so keeping this open for tweaking and feedback. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment