Subject: admin/15698: /etc/security vs. /etc/shells in regard to /sbin/nologin
To: None <>
From: Martin Weber <>
List: netbsd-bugs
Date: 02/22/2002 15:04:12
>Number:         15698
>Category:       admin
>Synopsis:       /etc/security stumbles over /sbin/nologin as "toor" shell
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    netbsd-admin
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Feb 22 06:05:01 PST 2002
>Originator:     Martin Weber
>Release:        NetBSD 1.5ZA
Entropie Erlangen
System: NetBSD 1.5ZA NetBSD 1.5ZA (PHAETON) #0: Thu Feb 14 22:51:12 CET 2002 i386
Architecture: i386
Machine: i386
	The password file check done by /etc/security (if you put
	check_passwd=YES into your /etc/security.conf) stumbles over
	/sbin/nologin, because that is no entry in /etc/shells.
	So it reports the following for my toor entry which is:
	toor:*:0:0::0:0:Bourne-again Superuser:/root:/sbin/nologin
	(still wondering what for I could use it anyways, never had
	 any problem with it using /sbin/nologin as shell)
	as errant:
Checking the /etc/master.passwd file:
Login toor does not have a valid shell (/sbin/nologin)

	Remark: /etc/security is 1.74:
     $NetBSD: security,v 1.74 2001/12/18 00:44:20 lukem Exp $

	vipw, change toor shell to /sbin/nologin, run /etc/security
	with check_passwd=YES in /etc/security.conf
	I am not sure if this is to be filed as sw-bug or change-request :)
	but imho changing a shell entry to /sbin/nologin should be fine, and
	not end up in a report like that (compare toor login to e.g. daemon,
	operator, bin, etc etc, those use /sbin/nologin, too).

	I think that adding /sbin/nologin to /etc/shells per default would
	be a sane option to resolve the problem, but I guess I'm just missing
	something quite obvious.

	Another option would be to change the awk checking a bit:
--- security    Fri Feb 22 15:02:45 2002
+++ /etc/security       Wed Feb 20 17:31:09 2002
@@ -212,7 +212,7 @@
                        if ($10 == "" || shells[$10])
                    printf "Login %s is off but still has a valid shell (%s)\n",
                                    $1, $10;
-               } else if (! shells[$10] && $10 != "/sbin/nologin" )
+               } else if (! shells[$10])
                        printf "Login %s does not have a valid shell (%s)\n",
                            $1, $10;
                if ($3 == 0 && $1 != "root" && $1 != "toor")
	But again, I guess I'm just missing something quite obvious