Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 215698 - sys-apps/shadow does not provides /usr/sbin/nologin
Summary: sys-apps/shadow does not provides /usr/sbin/nologin
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-04-01 13:29 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2008-04-19 06:22 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-04-01 13:29:59 UTC
Hi,

an old behaviour seems to set /usr/sbin/nologin as shell, not /sbin/nologin.

Since it would be hard to change all /usr/sbin/nologin entries to /sbin/nologin, i propose ln -s /sbin/nologin /usr/sbin/

e.g. :

[sleipnir:~]% grep nologin /etc/passwd
sockd:x:101:2:added by portage for dante:/etc/socks:/usr/sbin/nologin
ntp:x:123:123:added by portage for ntp:/dev/null:/usr/sbin/nologin
apache:x:81:81:added by portage for apache:/var/www:/usr/sbin/nologin
privoxy:x:102:1001:added by portage for privoxy:/etc/privoxy:/usr/sbin/nologin
postgrey:x:103:1002:added by portage for postgrey:/dev/null:/usr/sbin/nologin
ntop:x:104:1003:added by portage for ntop:/var/lib/ntop:/usr/sbin/nologin
smokeping:x:105:1004:added by portage for smokeping:/var/lib/smokeping:/usr/sbin/nologin
mysql:x:60:60:added by portage for mysql:/dev/null:/usr/sbin/nologin
arpwatch:x:106:1006:added by portage for arpwatch:/var/lib/arpwatch:/usr/sbin/nologin
clamav:x:107:1007:added by portage for clamav:/dev/null:/usr/sbin/nologin
dhcp:x:108:1008:added by portage for dhcp:/var/lib/dhcp:/usr/sbin/nologin
shttpd:x:109:1009:added by portage for shttpd:/var/www/localhost/htdocs:/usr/sbin/nologin
proftpd:x:110:1010:added by portage for proftpd:/dev/null:/usr/sbin/nologin
messagebus:x:111:1011:added by portage for dbus:/dev/null:/sbin/nologin
ftp:x:21:21:added by portage for ftpbase:/home/ftp:/sbin/nologin
rpc:x:113:111:added by portage for portmap:/dev/null:/sbin/nologin
bacula:x:114:1013:added by portage for bacula:/var/lib/bacula:/sbin/nologin
named:x:40:40:added by portage for bind:/etc/bind:/sbin/nologin
zope:x:261:261:added by portage for zope:/var/lib/zope:/sbin/nologin
polw:x:115:1017:added by portage for policyd-weight:/dev/null:/sbin/nologin
tcpdump:x:116:1018:added by portage for tcpdump:/dev/null:/sbin/nologin
at:x:25:25:added by portage for at:/var/spool/cron/atjobs:/sbin/nologin
asterisk:x:112:1021:added by portage for asterisk:/var/lib/asterisk:/sbin/nologin
xfs:x:33:33:added by portage for xfs:/etc/X11/fs:/sbin/nologin
Comment 1 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2008-04-01 13:53:01 UTC
(In reply to comment #0)
> Since it would be hard to change all /usr/sbin/nologin entries to
> /sbin/nologin

sed -i -e 's:/usr/sbin/nologin:/sbin/nologin:g' /etc/passwd
Comment 2 SpanKY gentoo-dev 2008-04-01 15:30:12 UTC
does it really matter ?  if the login shell doesnt exist, the user cant login.  if the login shell does exist, but points to nologin, the user cant login.

we could have the shadow ebuild do the upgrade in pkg_postinst ...
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-04-14 12:09:33 UTC
(In reply to comment #1)
> (In reply to comment #0)
> > Since it would be hard to change all /usr/sbin/nologin entries to
> > /sbin/nologin
> 
> sed -i -e 's:/usr/sbin/nologin:/sbin/nologin:g' /etc/passwd
> 

Obviously a pro-user knows he can run sed or ViM. I'm not speaking for me. It's for basic users. My point is to solve this thought ebuilds only, automatically. Running `sed` in an ebuild on a live /etc/passwd may be dangerous.

@Vapier: it's not too important from a security PoV, but nologin is a useful program that :
 - prints the user a message that his account is not avaible
 - calls syslog
That has two purposes :
 - inform the user
 - syslog: differentiate formerly valid then denied account; and generic accounts like named, mysql...

You may argue that an administrator of a multi-user SSH box is able to discover and manually fix this issue, but, still, that change of behaviour is surprinsing and may stay hidden for some time...
Comment 4 SpanKY gentoo-dev 2008-04-19 06:16:31 UTC
either we run the sed in baselayout to automatically convert /usr/sbin/nologin to /sbin/nologin if $ROOT/usr/sbin/nologin doesnt exist, or we just stick with the standard warning about user accounts with invalid shells.

as for nologin displaying an informative message, i'd make the statement that the curt message "This account is currently not available." is just about as useful as no message at all.

the syslog aspect though is semi-useful ... i wasnt aware that the binary actually did that.