Subject: Re: admin/15698: /etc/security vs. /etc/shells in regard to /sbin/nologin
To: Andrew Brown <>
From: Greg A. Woods <>
List: netbsd-bugs
Date: 02/24/2002 14:43:42
[ On Saturday, February 23, 2002 at 00:49:58 (-0500), Andrew Brown wrote: ]
> Subject: Re: admin/15698: /etc/security vs. /etc/shells in regard to /sbin/nologin
> >> this sounds reasonable, but, iirc, will later cause accounts that have
> >> no password to be declared "inactive but with a valid shell".
> >
> >Yes, of course -- that's the desired behaviour.  If you don't want
> >some/all of those reported then that's a different issue.
> eliminating one "erroneous" message so that one gets three more is
> most certainly not the point.


>  accounts that currently have * as the
> password and /sbin/nologin as the shell should not cause any message
> from /etc/security.

Well now that depends on what a given site's security policy says, now
doesn't it?

In the "normal" case such accounts are abberations and should be
reported by /etc/security.

If on your system the locked accounts (and of course '*' is only a
semi-common convention, not the only way to lock an account -- my own
/etc/security recognizes all possible means of locking accounts) are
"normal" then perhaps you'd like to have a bit more dynamic runtime
control over the checks done by /etc/security and how they are reported.

> >> a better fix might be to specifically allow /sbin/nologin as a shell
> >> at the point that emits the complaint in question.
> >
> >No, I don't think so.  At least with adding the shells explicitly to the
> >list in the array you don't have to mess with an ever more complex
> >expression in the logic of the program.....
> # diff /etc/security /usr/src/etc/security
> 215c215
> <               } else if (! shells[$10] && $10 != "/sbin/nologin")
> ---
> >               } else if (! shells[$10])

Thank you for re-inforcing my point again for me!

								Greg A. Woods

+1 416 218-0098;  <>;  <>;  <>
Planix, Inc. <>; VE3TCP; Secrets of the Weird <>