Cybersecurity

Hello,
My firm has a requirement that everyone must use bash. Of course, there can be exceptions so I do not want to disable the other shells. But is there a way that I can prevent users from switching to another shell?

Thank you.

You can disable access to chsh. But that will never stop somebody from changing the shebang line in a script. If you already have production and startup scripts in bourne shell or ksh or whatever you cannot deny access to those shells.

Can you more clearly define what you want to acheive? What OS are we talking about here?

Certainly, as best as I can.

The firm decided simply to restrict everyone to the bash shell for "security" reasons. It is a small enough firm that they might be able to get away with it, but it would be nice to enforce it. They have documented it as policy, but they would like to have something a bit more strict, forcing everyone to only use bash. I was not sure that it could be done but I figured that I would ask.

It can be done. Not a great idea on production machines.

Assuming there are no production or system scripts written in anything but /bin/sh or bin/bash (and /bin/sh is a symlink to bash), make all of the "other" shells symlinks to /usr/bin/bash. /bin/sh should also ALREADY be a link to /bin/bash, ie the system boots up error-free using bash. If it is not - do not do this.

Restrict access to /usr/bin/chsh - deny other execute. The only other problem is somebody using passwd -s to change shells. All that will happen there is they will "change" to bash anyway.

None of this is a great idea. There could be scripts somewhere that depend on ksh wierdness and you just broke them, for example. I am also not convinced about security concerns unless there are shells that some user downloaded off the net on your box somewhere. You may want to et rid of those anyway whether or not you can lock down to bash-only.

Thank you. I just wanted to mention (since I left it off before) that we are talking about Solaris machines.

I agree with you about not seeing the security advantage here, but I figured that I would research it and be prepared for that possibility.

The current default shell on Solaris is the Bourne shell. All the startup scripts depend on it. If you are going to change it to bash, you need to test your startup and shutdown scripts carefully.