Closed jonmchan closed 5 years ago
Yes, that's a good point.
@alebabai add a check to see if password file is writable. We should probably emit a warning that the feature will be disabled.
This has been fixed in https://github.com/cloudposse/bastion/releases/tag/0.1.4
When attempting to do this, the docker container fails to startup. The error in the logs show as:
This is because chsh is run on startup - https://github.com/cloudposse/bastion/blob/8411230e466decf3a069fa3a5185c94bd5028d75/rootfs/etc/init.d/ssh-audit#L13.
The code should be updated to allow passwd, shadow, and group to not be modified during normal usage or the recommendation to keep those files mounted as read-only should be removed.