Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!

Full Text Bug Listing

Hi,

an old behaviour seems to set /usr/sbin/nologin as shell, not /sbin/nologin.

Since it would be hard to change all /usr/sbin/nologin entries to
/sbin/nologin, i propose ln -s /sbin/nologin /usr/sbin/

e.g. :

[sleipnir:~]% grep nologin /etc/passwd
sockd:x:101:2:added by portage for dante:/etc/socks:/usr/sbin/nologin
ntp:x:123:123:added by portage for ntp:/dev/null:/usr/sbin/nologin
apache:x:81:81:added by portage for apache:/var/www:/usr/sbin/nologin
privoxy:x:102:1001:added by portage for privoxy:/etc/privoxy:/usr/sbin/nologin
postgrey:x:103:1002:added by portage for postgrey:/dev/null:/usr/sbin/nologin
ntop:x:104:1003:added by portage for ntop:/var/lib/ntop:/usr/sbin/nologin
smokeping:x:105:1004:added by portage for
smokeping:/var/lib/smokeping:/usr/sbin/nologin
mysql:x:60:60:added by portage for mysql:/dev/null:/usr/sbin/nologin
arpwatch:x:106:1006:added by portage for
arpwatch:/var/lib/arpwatch:/usr/sbin/nologin
clamav:x:107:1007:added by portage for clamav:/dev/null:/usr/sbin/nologin
dhcp:x:108:1008:added by portage for dhcp:/var/lib/dhcp:/usr/sbin/nologin
shttpd:x:109:1009:added by portage for
shttpd:/var/www/localhost/htdocs:/usr/sbin/nologin
proftpd:x:110:1010:added by portage for proftpd:/dev/null:/usr/sbin/nologin
messagebus:x:111:1011:added by portage for dbus:/dev/null:/sbin/nologin
ftp:x:21:21:added by portage for ftpbase:/home/ftp:/sbin/nologin
rpc:x:113:111:added by portage for portmap:/dev/null:/sbin/nologin
bacula:x:114:1013:added by portage for bacula:/var/lib/bacula:/sbin/nologin
named:x:40:40:added by portage for bind:/etc/bind:/sbin/nologin
zope:x:261:261:added by portage for zope:/var/lib/zope:/sbin/nologin
polw:x:115:1017:added by portage for policyd-weight:/dev/null:/sbin/nologin
tcpdump:x:116:1018:added by portage for tcpdump:/dev/null:/sbin/nologin
at:x:25:25:added by portage for at:/var/spool/cron/atjobs:/sbin/nologin
asterisk:x:112:1021:added by portage for
asterisk:/var/lib/asterisk:/sbin/nologin
xfs:x:33:33:added by portage for xfs:/etc/X11/fs:/sbin/nologin

(In reply to comment #0)
> Since it would be hard to change all /usr/sbin/nologin entries to
> /sbin/nologin

sed -i -e 's:/usr/sbin/nologin:/sbin/nologin:g' /etc/passwd

does it really matter ?  if the login shell doesnt exist, the user cant login. 
if the login shell does exist, but points to nologin, the user cant login.

we could have the shadow ebuild do the upgrade in pkg_postinst ...

(In reply to comment #1)
> (In reply to comment #0)
> > Since it would be hard to change all /usr/sbin/nologin entries to
> > /sbin/nologin
> 
> sed -i -e 's:/usr/sbin/nologin:/sbin/nologin:g' /etc/passwd
> 

Obviously a pro-user knows he can run sed or ViM. I'm not speaking for me. It's
for basic users. My point is to solve this thought ebuilds only, automatically.
Running `sed` in an ebuild on a live /etc/passwd may be dangerous.

@Vapier: it's not too important from a security PoV, but nologin is a useful
program that :
 - prints the user a message that his account is not avaible
 - calls syslog
That has two purposes :
 - inform the user
 - syslog: differentiate formerly valid then denied account; and generic
accounts like named, mysql...

You may argue that an administrator of a multi-user SSH box is able to discover
and manually fix this issue, but, still, that change of behaviour is
surprinsing and may stay hidden for some time...

either we run the sed in baselayout to automatically convert /usr/sbin/nologin
to /sbin/nologin if $ROOT/usr/sbin/nologin doesnt exist, or we just stick with
the standard warning about user accounts with invalid shells.

as for nologin displaying an informative message, i'd make the statement that
the curt message "This account is currently not available." is just about as
useful as no message at all.

the syslog aspect though is semi-useful ... i wasnt aware that the binary
actually did that.

http://sources.gentoo.org/sys-apps/baselayout/baselayout-2.0.0.ebuild?r1=1.3&r2=1.4