Subject: admin/15698: /etc/security vs. /etc/shells in regard to /sbin/nologin
To: None <gnats-bugs@gnats.netbsd.org>
From: Martin Weber <Ephaeton@gmx.net>
List: netbsd-bugs
Date: 02/22/2002 15:04:12
>Number:         15698
>Category:       admin
>Synopsis:       /etc/security stumbles over /sbin/nologin as "toor" shell
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    netbsd-admin
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Feb 22 06:05:01 PST 2002
>Closed-Date:
>Last-Modified:
>Originator:     Martin Weber
>Release:        NetBSD 1.5ZA
>Organization:
Entropie Erlangen
	
>Environment:
	
	
System: NetBSD phaeton.entropie.net 1.5ZA NetBSD 1.5ZA (PHAETON) #0: Thu Feb 14 22:51:12 CET 2002 root@phaeton.entropie.net:/usr/src/sys/arch/i386/compile/PHAETON i386
Architecture: i386
Machine: i386
>Description:
	The password file check done by /etc/security (if you put
	check_passwd=YES into your /etc/security.conf) stumbles over
	/sbin/nologin, because that is no entry in /etc/shells.
	So it reports the following for my toor entry which is:
	toor:*:0:0::0:0:Bourne-again Superuser:/root:/sbin/nologin
	(still wondering what for I could use it anyways, never had
	 any problem with it using /sbin/nologin as shell)
	as errant:
	(quote:)
Checking the /etc/master.passwd file:
Login toor does not have a valid shell (/sbin/nologin)

	Remark: /etc/security is 1.74:
/etc/security:
     $NetBSD: security,v 1.74 2001/12/18 00:44:20 lukem Exp $

	
>How-To-Repeat:
	vipw, change toor shell to /sbin/nologin, run /etc/security
	with check_passwd=YES in /etc/security.conf
	
>Fix:
	I am not sure if this is to be filed as sw-bug or change-request :)
	but imho changing a shell entry to /sbin/nologin should be fine, and
	not end up in a report like that (compare toor login to e.g. daemon,
	operator, bin, etc etc, those use /sbin/nologin, too).

	I think that adding /sbin/nologin to /etc/shells per default would
	be a sane option to resolve the problem, but I guess I'm just missing
	something quite obvious.

	Another option would be to change the awk checking a bit:
------------
--- security    Fri Feb 22 15:02:45 2002
+++ /etc/security       Wed Feb 20 17:31:09 2002
@@ -212,7 +212,7 @@
                        if ($10 == "" || shells[$10])
                    printf "Login %s is off but still has a valid shell (%s)\n",
                                    $1, $10;
-               } else if (! shells[$10] && $10 != "/sbin/nologin" )
+               } else if (! shells[$10])
                        printf "Login %s does not have a valid shell (%s)\n",
                            $1, $10;
                if ($3 == 0 && $1 != "root" && $1 != "toor")
------------
	But again, I guess I'm just missing something quite obvious

	
>Release-Note:
>Audit-Trail:
>Unformatted: