Subject: Re: su vs. nobody (was: CVS commit: basesrc/etc)
To: Perry E. Metzger <>
From: Greg A. Woods <>
List: tech-security
Date: 10/27/2002 11:46:06
[ On , October 27, 2002 at 10:37:15 (-0500), Perry E. Metzger wrote: ]
> Subject: Re: CVS commit: basesrc/etc
> matthew green <> writes:
> >    Module Name:	basesrc
> >    Committed By:	christos
> >    Date:		Sun Oct 27 00:07:48 UTC 2002
> >    
> >    Modified Files:
> >    	basesrc/etc: master.passwd
> >    
> >    Log Message:
> >    Don't make the shell of nobody /sbin/nologin. There are programs that expect
> >    to be executing su nobody -c 'command', such as xdm's Xwilling do this.
> > 
> > was this change discussed anywhere?
> Indeed. I'm not sure the true answer isn't something like having an
> option to su to use /bin/sh instead of your login shell.

... and there already is just such an option:  '-m'

If the target user's shell is non-standard (i.e. not in /etc/shells,
which /sbin/nologin normally isn't) then of course it only works if the
caller is root, but in this case the caller will be root, right?

Of course now the caller will also have to be more careful about the
environment settings, but perhaps in this case doing so is as simple as
also using 'env -i'.

It also means the invoker's login shell will be used, but if the idea is
to use /bin/sh then the invoker can easily arrange for that too....

That said I personally don't really care one way or another what shell
is used for the 'nobody' account, assuming we're talking about the
account used exclusively as the NFS anonymous user.

However "we" all really must think a lot harder about this often
dangrous overloading of some generic least-privileged account amongst
various applications.  The average admin won't see anything wrong with
simultaneously running an NFS server and running some network daemon
which needs write access to log files, etc.; both using the same
'nobody' on the same server host.  Personally I've been renaming the
default -2:-2 user to be "nfsanon:nfsnogrp" so that my users won't
confuse the privileges of various daemons they might run as "nobody"
with accesses by remote client superusers on an NFS server.

(Oh, right -- NetBSD doesn't yet, and can't without patches, have a
default -2:-2 user even though its mountd(8) still uses -2:-2 as the
default anonymous (-maproot) user....  :-)

								Greg A. Woods

+1 416 218-0098;            <>;           <>
Planix, Inc. <>; VE3TCP; Secrets of the Weird <>