Subject: Re: admin/15698: /etc/security vs. /etc/shells in regard to /sbin/nologin
To: None <Ephaeton@gmx.net>
From: Greg A. Woods <woods@weird.com>
List: netbsd-bugs
Date: 02/22/2002 16:29:19
[ On Friday, February 22, 2002 at 15:04:12 (+0100), Martin Weber wrote: ]
> Subject: admin/15698: /etc/security vs. /etc/shells in regard to /sbin/nologin
>
> 	I think that adding /sbin/nologin to /etc/shells per default would
> 	be a sane option to resolve the problem, but I guess I'm just missing
> 	something quite obvious.

I think you're mixing purposes with /etc/shells here.

Let us RTFM to start here:

     The shells file contains a list of the shells on the system.  It can be
     used in conjunction with the Hesiod domain `shells', and the NIS map
     `shells', as controlled by nsswitch.conf(5).

Hmmm.... OK, well by this definition alone then /sbin/nologin might be
considered to be a valid shell....

But there's more!  What's really important is how /etc/shells is used:

     chpass allows editing of the user database information associated with
     user or, by default, the current user.  The information is formatted and
     supplied to an editor for changes.

  [[ ... ]]

     The shell field is the command interpreter the user prefers.  If the
     shell field is empty, the Bourne shell, /bin/sh, is assumed.  When alter-
     ing a login shell, and not the super-user, the user may not change from a
     non-standard shell or to a non-standard shell.  Non-standard is defined
     as a shell not found in /etc/shells.

Hmmm....  by this definition of how /etc/shells is used I'd say
/sbin/nologin is definitely a ``non-standard shell'' (and while you
might say that it's OK for a user to shoot themselves in the foot, I
would suggest that's not a good default -- do it on your system alone if
you feel it's a good idea to allow such a thing!).


But wait, there's more still:

     ftpd is the Internet File Transfer Protocol server process.  The server
     uses the TCP protocol and listens at the port specified in the ``ftp''
     service specification;

  [[ ... ]]

     To set up "ftp-only" accounts that provide only FTP, but no valid shell
     login, you can copy/link /sbin/nologin to /sbin/ftplogin, and enter
     /sbin/ftplogin to /etc/shells to allow logging-in via FTP into the ac-
     counts, which must have /sbin/ftplogin as login shell.

Hmmm.... that seems to confirm my assertion above.  /sbin/nologin is a
non-standard shell and you definitely do not want users assigned
/sbin/nologin to be able to FTP, but you might want another similar
"valid" shell to be used by FTP-only users.


In the end I did this to quiet /etc/security on my systems:

***************
*** 181,189 ****
                                continue;
                        shells[$1]++;
                }
                FS=":";
        }
- 
        {
                if ($0 ~ /^[     ]*$/) {
                        printf "Line %d is a blank line.\n", NR;
--- 64,74 ----
                                continue;
                        shells[$1]++;
                }
+               shells["/sbin/nologin"]++;
+               shells["/usr/games/wargames"]++;
+               shells["/usr/libexec/uucp/uucico"]++;
                FS=":";
        }
        {
                if ($0 ~ /^[     ]*$/) {
                        printf "Line %d is a blank line.\n", NR;


I think that's a little cleaner than your patch, though definition of a
companion file such as /etc/shells.nonstd might be even better (I
usually prefer data-driven programs to modifying hard-coded data within
a program, but I was too lazy to go that far with my own local source tree).

-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods@acm.org>;  <g.a.woods@ieee.org>;  <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>