Subject: Re: admin/15698: /etc/security vs. /etc/shells in regard to /sbin/nologin
To: Andrew Brown <atatat@atatdot.net>
From: Greg A. Woods <woods@weird.com>
List: netbsd-bugs
Date: 02/24/2002 14:43:42
[ On Saturday, February 23, 2002 at 00:49:58 (-0500), Andrew Brown wrote: ]
> Subject: Re: admin/15698: /etc/security vs. /etc/shells in regard to /sbin/nologin
>
> >> this sounds reasonable, but, iirc, will later cause accounts that have
> >> no password to be declared "inactive but with a valid shell".
> >
> >Yes, of course -- that's the desired behaviour. If you don't want
> >some/all of those reported then that's a different issue.
>
> eliminating one "erroneous" message so that one gets three more is
> most certainly not the point.
These are TOTALLY SEPARATE ISSUES!!!!!
> accounts that currently have * as the
> password and /sbin/nologin as the shell should not cause any message
> from /etc/security.
Well now that depends on what a given site's security policy says, now
doesn't it?
In the "normal" case such accounts are abberations and should be
reported by /etc/security.
If on your system the locked accounts (and of course '*' is only a
semi-common convention, not the only way to lock an account -- my own
/etc/security recognizes all possible means of locking accounts) are
"normal" then perhaps you'd like to have a bit more dynamic runtime
control over the checks done by /etc/security and how they are reported.
> >> a better fix might be to specifically allow /sbin/nologin as a shell
> >> at the point that emits the complaint in question.
> >
> >No, I don't think so. At least with adding the shells explicitly to the
> >list in the array you don't have to mess with an ever more complex
> >expression in the logic of the program.....
>
> # diff /etc/security /usr/src/etc/security
> 215c215
> < } else if (! shells[$10] && $10 != "/sbin/nologin")
> ---
> > } else if (! shells[$10])
Thank you for re-inforcing my point again for me!
--
Greg A. Woods
+1 416 218-0098; <gwoods@acm.org>; <g.a.woods@ieee.org>; <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>