以下内容可防止锁定的帐户更改其shell,并有选择地让人们在没有sudo或su的情况下使用chsh:
简单的设置仍然是安全的:
>添加/etc/pam.d/chsh的顶部:
# This allows users of group chsh to change their shells without a password.
#
# Per: http://serverfault.com/questions/202468/changing-the-shell-using-chsh-via-the-command-line-in-a-script
#
auth sufficient pam_wheel.so trust group=chsh
>创建chsh组:
groupadd chsh
对于任何允许更改其shell的用户:
usermod -a -G chsh username
钱拍:
user@host:~$getent passwd $USER
user:x:1000:1001::/home/user:/bin/bash
user@host:~$chsh -s `which zsh`
user@host:~$getent passwd $USER
user:x:1000:1001::/home/user:/usr/bin/zsh
user@host:~$