Subject: Re: admin/15698: /etc/security vs. /etc/shells in regard to /sbin/nologin
To: None <Ephaeton@gmx.net>
From: Greg A. Woods <woods@weird.com>
List: netbsd-bugs
Date: 02/22/2002 16:29:19
[ On Friday, February 22, 2002 at 15:04:12 (+0100), Martin Weber wrote: ]
> Subject: admin/15698: /etc/security vs. /etc/shells in regard to /sbin/nologin
>
> I think that adding /sbin/nologin to /etc/shells per default would
> be a sane option to resolve the problem, but I guess I'm just missing
> something quite obvious.
I think you're mixing purposes with /etc/shells here.
Let us RTFM to start here:
The shells file contains a list of the shells on the system. It can be
used in conjunction with the Hesiod domain `shells', and the NIS map
`shells', as controlled by nsswitch.conf(5).
Hmmm.... OK, well by this definition alone then /sbin/nologin might be
considered to be a valid shell....
But there's more! What's really important is how /etc/shells is used:
chpass allows editing of the user database information associated with
user or, by default, the current user. The information is formatted and
supplied to an editor for changes.
[[ ... ]]
The shell field is the command interpreter the user prefers. If the
shell field is empty, the Bourne shell, /bin/sh, is assumed. When alter-
ing a login shell, and not the super-user, the user may not change from a
non-standard shell or to a non-standard shell. Non-standard is defined
as a shell not found in /etc/shells.
Hmmm.... by this definition of how /etc/shells is used I'd say
/sbin/nologin is definitely a ``non-standard shell'' (and while you
might say that it's OK for a user to shoot themselves in the foot, I
would suggest that's not a good default -- do it on your system alone if
you feel it's a good idea to allow such a thing!).
But wait, there's more still:
ftpd is the Internet File Transfer Protocol server process. The server
uses the TCP protocol and listens at the port specified in the ``ftp''
service specification;
[[ ... ]]
To set up "ftp-only" accounts that provide only FTP, but no valid shell
login, you can copy/link /sbin/nologin to /sbin/ftplogin, and enter
/sbin/ftplogin to /etc/shells to allow logging-in via FTP into the ac-
counts, which must have /sbin/ftplogin as login shell.
Hmmm.... that seems to confirm my assertion above. /sbin/nologin is a
non-standard shell and you definitely do not want users assigned
/sbin/nologin to be able to FTP, but you might want another similar
"valid" shell to be used by FTP-only users.
In the end I did this to quiet /etc/security on my systems:
***************
*** 181,189 ****
continue;
shells[$1]++;
}
FS=":";
}
-
{
if ($0 ~ /^[ ]*$/) {
printf "Line %d is a blank line.\n", NR;
--- 64,74 ----
continue;
shells[$1]++;
}
+ shells["/sbin/nologin"]++;
+ shells["/usr/games/wargames"]++;
+ shells["/usr/libexec/uucp/uucico"]++;
FS=":";
}
{
if ($0 ~ /^[ ]*$/) {
printf "Line %d is a blank line.\n", NR;
I think that's a little cleaner than your patch, though definition of a
companion file such as /etc/shells.nonstd might be even better (I
usually prefer data-driven programs to modifying hard-coded data within
a program, but I was too lazy to go that far with my own local source tree).
--
Greg A. Woods
+1 416 218-0098; <gwoods@acm.org>; <g.a.woods@ieee.org>; <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>