Subject: Re: admin/15698: /etc/security vs. /etc/shells in regard to /sbin/nologin
To: None <>
From: Greg A. Woods <>
List: netbsd-bugs
Date: 02/22/2002 16:29:19
[ On Friday, February 22, 2002 at 15:04:12 (+0100), Martin Weber wrote: ]
> Subject: admin/15698: /etc/security vs. /etc/shells in regard to /sbin/nologin
> 	I think that adding /sbin/nologin to /etc/shells per default would
> 	be a sane option to resolve the problem, but I guess I'm just missing
> 	something quite obvious.

I think you're mixing purposes with /etc/shells here.

Let us RTFM to start here:

     The shells file contains a list of the shells on the system.  It can be
     used in conjunction with the Hesiod domain `shells', and the NIS map
     `shells', as controlled by nsswitch.conf(5).

Hmmm.... OK, well by this definition alone then /sbin/nologin might be
considered to be a valid shell....

But there's more!  What's really important is how /etc/shells is used:

     chpass allows editing of the user database information associated with
     user or, by default, the current user.  The information is formatted and
     supplied to an editor for changes.

  [[ ... ]]

     The shell field is the command interpreter the user prefers.  If the
     shell field is empty, the Bourne shell, /bin/sh, is assumed.  When alter-
     ing a login shell, and not the super-user, the user may not change from a
     non-standard shell or to a non-standard shell.  Non-standard is defined
     as a shell not found in /etc/shells.

Hmmm....  by this definition of how /etc/shells is used I'd say
/sbin/nologin is definitely a ``non-standard shell'' (and while you
might say that it's OK for a user to shoot themselves in the foot, I
would suggest that's not a good default -- do it on your system alone if
you feel it's a good idea to allow such a thing!).

But wait, there's more still:

     ftpd is the Internet File Transfer Protocol server process.  The server
     uses the TCP protocol and listens at the port specified in the ``ftp''
     service specification;

  [[ ... ]]

     To set up "ftp-only" accounts that provide only FTP, but no valid shell
     login, you can copy/link /sbin/nologin to /sbin/ftplogin, and enter
     /sbin/ftplogin to /etc/shells to allow logging-in via FTP into the ac-
     counts, which must have /sbin/ftplogin as login shell.

Hmmm.... that seems to confirm my assertion above.  /sbin/nologin is a
non-standard shell and you definitely do not want users assigned
/sbin/nologin to be able to FTP, but you might want another similar
"valid" shell to be used by FTP-only users.

In the end I did this to quiet /etc/security on my systems:

*** 181,189 ****
                if ($0 ~ /^[     ]*$/) {
                        printf "Line %d is a blank line.\n", NR;
--- 64,74 ----
+               shells["/sbin/nologin"]++;
+               shells["/usr/games/wargames"]++;
+               shells["/usr/libexec/uucp/uucico"]++;
                if ($0 ~ /^[     ]*$/) {
                        printf "Line %d is a blank line.\n", NR;

I think that's a little cleaner than your patch, though definition of a
companion file such as /etc/shells.nonstd might be even better (I
usually prefer data-driven programs to modifying hard-coded data within
a program, but I was too lazy to go that far with my own local source tree).

								Greg A. Woods

+1 416 218-0098;  <>;  <>;  <>
Planix, Inc. <>; VE3TCP; Secrets of the Weird <>