Several daemon users are left with valid shells in the /etc/passwd file. A quick grep operation results in the following; prometheus:~ # grep bash /etc/passwd root:x:0:0::/root:/bin/bash operator:x:11:0:operator:/root:/bin/bash postmaster:x:14:12:postmaster:/var/spool/mail:/bin/bash cron:x:16:16:cron:/var/cron:/bin/bash ftp:x:21:21::/home/ftp:/bin/bash at:x:25:25:at:/var/cron/atjobs:/bin/bash www:x:30:65534::/tmp:/bin/bash squid:x:31:31:Squid:/var/cache/squid:/bin/bash gdm:x:32:32:GDM:/var/lib/gdm:/bin/bash mysql:x:60:60:mysql:/var/lib/mysql:/bin/bash postgres:x:70:70::/var/lib/postgresql:/bin/bash alias:x:200:200::/var/qmail/alias:/bin/bash qmaild:x:201:200::/var/qmail:/bin/bash qmaill:x:202:200::/var/qmail:/bin/bash qmailp:x:203:200::/var/qmail:/bin/bash qmailq:x:204:201::/var/qmail:/bin/bash qmailr:x:205:201::/var/qmail:/bin/bash qmails:x:206:201::/var/qmail:/bin/bash In my opinion, security should be the default consideration, therefore the only user with a valid shell, until such time as additional users are added or the configuration altered, should be root. Moreover, root's shell, per default, should be a functional and statically-linked shell, be it ash-static, or bash compiled statically. This would facilitate root's ability to log in and perform system maintainance in the event of a catastrophic failure. In my estimation, both issues present the potential for system abuse and/or unavailability.
This one is fixed with baselayout-1.8.2.