Hi, an old behaviour seems to set /usr/sbin/nologin as shell, not /sbin/nologin. Since it would be hard to change all /usr/sbin/nologin entries to /sbin/nologin, i propose ln -s /sbin/nologin /usr/sbin/ e.g. : [sleipnir:~]% grep nologin /etc/passwd sockd:x:101:2:added by portage for dante:/etc/socks:/usr/sbin/nologin ntp:x:123:123:added by portage for ntp:/dev/null:/usr/sbin/nologin apache:x:81:81:added by portage for apache:/var/www:/usr/sbin/nologin privoxy:x:102:1001:added by portage for privoxy:/etc/privoxy:/usr/sbin/nologin postgrey:x:103:1002:added by portage for postgrey:/dev/null:/usr/sbin/nologin ntop:x:104:1003:added by portage for ntop:/var/lib/ntop:/usr/sbin/nologin smokeping:x:105:1004:added by portage for smokeping:/var/lib/smokeping:/usr/sbin/nologin mysql:x:60:60:added by portage for mysql:/dev/null:/usr/sbin/nologin arpwatch:x:106:1006:added by portage for arpwatch:/var/lib/arpwatch:/usr/sbin/nologin clamav:x:107:1007:added by portage for clamav:/dev/null:/usr/sbin/nologin dhcp:x:108:1008:added by portage for dhcp:/var/lib/dhcp:/usr/sbin/nologin shttpd:x:109:1009:added by portage for shttpd:/var/www/localhost/htdocs:/usr/sbin/nologin proftpd:x:110:1010:added by portage for proftpd:/dev/null:/usr/sbin/nologin messagebus:x:111:1011:added by portage for dbus:/dev/null:/sbin/nologin ftp:x:21:21:added by portage for ftpbase:/home/ftp:/sbin/nologin rpc:x:113:111:added by portage for portmap:/dev/null:/sbin/nologin bacula:x:114:1013:added by portage for bacula:/var/lib/bacula:/sbin/nologin named:x:40:40:added by portage for bind:/etc/bind:/sbin/nologin zope:x:261:261:added by portage for zope:/var/lib/zope:/sbin/nologin polw:x:115:1017:added by portage for policyd-weight:/dev/null:/sbin/nologin tcpdump:x:116:1018:added by portage for tcpdump:/dev/null:/sbin/nologin at:x:25:25:added by portage for at:/var/spool/cron/atjobs:/sbin/nologin asterisk:x:112:1021:added by portage for asterisk:/var/lib/asterisk:/sbin/nologin xfs:x:33:33:added by portage for xfs:/etc/X11/fs:/sbin/nologin
(In reply to comment #0) > Since it would be hard to change all /usr/sbin/nologin entries to > /sbin/nologin sed -i -e 's:/usr/sbin/nologin:/sbin/nologin:g' /etc/passwd
does it really matter ? if the login shell doesnt exist, the user cant login. if the login shell does exist, but points to nologin, the user cant login. we could have the shadow ebuild do the upgrade in pkg_postinst ...
(In reply to comment #1) > (In reply to comment #0) > > Since it would be hard to change all /usr/sbin/nologin entries to > > /sbin/nologin > > sed -i -e 's:/usr/sbin/nologin:/sbin/nologin:g' /etc/passwd > Obviously a pro-user knows he can run sed or ViM. I'm not speaking for me. It's for basic users. My point is to solve this thought ebuilds only, automatically. Running `sed` in an ebuild on a live /etc/passwd may be dangerous. @Vapier: it's not too important from a security PoV, but nologin is a useful program that : - prints the user a message that his account is not avaible - calls syslog That has two purposes : - inform the user - syslog: differentiate formerly valid then denied account; and generic accounts like named, mysql... You may argue that an administrator of a multi-user SSH box is able to discover and manually fix this issue, but, still, that change of behaviour is surprinsing and may stay hidden for some time...
either we run the sed in baselayout to automatically convert /usr/sbin/nologin to /sbin/nologin if $ROOT/usr/sbin/nologin doesnt exist, or we just stick with the standard warning about user accounts with invalid shells. as for nologin displaying an informative message, i'd make the statement that the curt message "This account is currently not available." is just about as useful as no message at all. the syslog aspect though is semi-useful ... i wasnt aware that the binary actually did that.
http://sources.gentoo.org/sys-apps/baselayout/baselayout-2.0.0.ebuild?r1=1.3&r2=1.4