Subject: Re: admin/15698: /etc/security vs. /etc/shells in regard to /sbin/nologin
To: Andrew Brown <atatat@atatdot.net>
From: Greg A. Woods <woods@weird.com>
List: netbsd-bugs
Date: 02/24/2002 14:43:42
[ On Saturday, February 23, 2002 at 00:49:58 (-0500), Andrew Brown wrote: ]
> Subject: Re: admin/15698: /etc/security vs. /etc/shells in regard to /sbin/nologin
>
> >> this sounds reasonable, but, iirc, will later cause accounts that have
> >> no password to be declared "inactive but with a valid shell".
> >
> >Yes, of course -- that's the desired behaviour.  If you don't want
> >some/all of those reported then that's a different issue.
> 
> eliminating one "erroneous" message so that one gets three more is
> most certainly not the point.

These are TOTALLY SEPARATE ISSUES!!!!!

>  accounts that currently have * as the
> password and /sbin/nologin as the shell should not cause any message
> from /etc/security.

Well now that depends on what a given site's security policy says, now
doesn't it?

In the "normal" case such accounts are abberations and should be
reported by /etc/security.

If on your system the locked accounts (and of course '*' is only a
semi-common convention, not the only way to lock an account -- my own
/etc/security recognizes all possible means of locking accounts) are
"normal" then perhaps you'd like to have a bit more dynamic runtime
control over the checks done by /etc/security and how they are reported.

> >> a better fix might be to specifically allow /sbin/nologin as a shell
> >> at the point that emits the complaint in question.
> >
> >No, I don't think so.  At least with adding the shells explicitly to the
> >list in the array you don't have to mess with an ever more complex
> >expression in the logic of the program.....
> 
> # diff /etc/security /usr/src/etc/security
> 215c215
> <               } else if (! shells[$10] && $10 != "/sbin/nologin")
> ---
> >               } else if (! shells[$10])

Thank you for re-inforcing my point again for me!

-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods@acm.org>;  <g.a.woods@ieee.org>;  <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>