Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#1832 - Daemon accounts lack defined shell

Attached to Project: Arch Linux
Opened by Mario Vazquez (darkcoder) - Tuesday, 23 November 2004, 23:37 GMT
Last edited by Jan de Groot (JGC) - Sunday, 05 June 2005, 12:28 GMT
Task Type Bug Report
Category System
Status Closed
Assigned To Judd Vinet (judd)
Architecture not specified
Severity Medium
Priority Normal
Reported Version 0.7 Wombat
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

After looking at my /etc/passwd file found that many of the users assigned to daemons lack a valid shell. All security related docs on the net I found recommend to assign /bin/false as a shell to accounts used by daemon services (mail, ftp, apache, etc).

The list of current accounts on a fresh install computer used for Internet client (no server) already include the following accounts without a shell defined: bin, daemon, mail, ftp, nobody. Other daemons installed by their services like mysql, apache, and others may also be affected.
This task depends upon

Closed by  Judd Vinet (judd)
Saturday, 11 June 2005, 20:06 GMT
Reason for closing:  Fixed
Comment by Mario Vazquez (darkcoder) - Friday, 14 January 2005, 00:37 GMT
More info can be found http://bbs.archlinux.org/viewtopic.php?t=8242&highlight=
Comment by Mario Vazquez (darkcoder) - Thursday, 21 April 2005, 04:07 GMT
This is a comparison between the passwd file currently on filesystem PKGBUILD and a RedHat server I had at work.

filesystem PKGBUILD
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
mail:x:8:12:mail:/var/spool/mail:
ftp:x:14:11:ftp:/home/ftp:
nobody:x:99:99:nobody:/:

RedHat 9/Fedora passwd sample:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin

In owr case, since we do not have /sbin/nologin we can use the /bin/false as an alternative. I read some passwd samples over the Internet that use the /bin/false instead of RedHat nologin approach.

Recommended setting for /etc/passwd:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
mail:x:8:12:mail:/var/spool/mail:/bin/false
ftp:x:14:11:ftp:/home/ftp:/bin/false
nobody:x:99:99:nobody:/:/bin/false

This samples apply only to the base passwd file as provided by the filesystem PKGBUILD, other packages that provide their own user like apache should also be checked.

Loading...