Subject: admin/15698: /etc/security vs. /etc/shells in regard to /sbin/nologin
To: None <gnats-bugs@gnats.netbsd.org>
From: Martin Weber <Ephaeton@gmx.net>
List: netbsd-bugs
Date: 02/22/2002 15:04:12
>Number: 15698
>Category: admin
>Synopsis: /etc/security stumbles over /sbin/nologin as "toor" shell
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: netbsd-admin
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Feb 22 06:05:01 PST 2002
>Closed-Date:
>Last-Modified:
>Originator: Martin Weber
>Release: NetBSD 1.5ZA
>Organization:
Entropie Erlangen
>Environment:
System: NetBSD phaeton.entropie.net 1.5ZA NetBSD 1.5ZA (PHAETON) #0: Thu Feb 14 22:51:12 CET 2002 root@phaeton.entropie.net:/usr/src/sys/arch/i386/compile/PHAETON i386
Architecture: i386
Machine: i386
>Description:
The password file check done by /etc/security (if you put
check_passwd=YES into your /etc/security.conf) stumbles over
/sbin/nologin, because that is no entry in /etc/shells.
So it reports the following for my toor entry which is:
toor:*:0:0::0:0:Bourne-again Superuser:/root:/sbin/nologin
(still wondering what for I could use it anyways, never had
any problem with it using /sbin/nologin as shell)
as errant:
(quote:)
Checking the /etc/master.passwd file:
Login toor does not have a valid shell (/sbin/nologin)
Remark: /etc/security is 1.74:
/etc/security:
$NetBSD: security,v 1.74 2001/12/18 00:44:20 lukem Exp $
>How-To-Repeat:
vipw, change toor shell to /sbin/nologin, run /etc/security
with check_passwd=YES in /etc/security.conf
>Fix:
I am not sure if this is to be filed as sw-bug or change-request :)
but imho changing a shell entry to /sbin/nologin should be fine, and
not end up in a report like that (compare toor login to e.g. daemon,
operator, bin, etc etc, those use /sbin/nologin, too).
I think that adding /sbin/nologin to /etc/shells per default would
be a sane option to resolve the problem, but I guess I'm just missing
something quite obvious.
Another option would be to change the awk checking a bit:
------------
--- security Fri Feb 22 15:02:45 2002
+++ /etc/security Wed Feb 20 17:31:09 2002
@@ -212,7 +212,7 @@
if ($10 == "" || shells[$10])
printf "Login %s is off but still has a valid shell (%s)\n",
$1, $10;
- } else if (! shells[$10] && $10 != "/sbin/nologin" )
+ } else if (! shells[$10])
printf "Login %s does not have a valid shell (%s)\n",
$1, $10;
if ($3 == 0 && $1 != "root" && $1 != "toor")
------------
But again, I guess I'm just missing something quite obvious
>Release-Note:
>Audit-Trail:
>Unformatted: