FS#21981 - [filesystem] Please add nologin to /etc/shells

Attached to Project: Arch Linux
Opened by Alex Matviychuk (alexmat) - Saturday, 04 December 2010, 13:08 GMT
Last edited by Pierre Schmitz (Pierre) - Sunday, 12 December 2010, 23:36 GMT
Task Type Feature Request
Category Packages: Core
Status Closed
Assigned To Pierre Schmitz (Pierre)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

/sbin/nologin is not in /etc/shells, this affects accounts on the system that are setup for non shell related tasks like FTP, etc.

Additional info:
* Just need to add /sbin/nologin to list of shells in /etc/shells
This task depends upon

Closed by  Pierre Schmitz (Pierre)
Sunday, 12 December 2010, 23:36 GMT
Reason for closing:  Won't implement
Comment by Lukas Fleischer (lfleischer) - Saturday, 04 December 2010, 13:24 GMT
Some system/daemon users use "/sbin/nologin" as shell right now, so adding it to "/etc/shells" wouldn't be that cool (as some daemon users would be allowed to login using FTP and stuff).
Comment by Alex Matviychuk (alexmat) - Saturday, 04 December 2010, 13:27 GMT
Interesting. What's the recommended solution for having non-shell logins that you want to give access to things like FTP to?
Comment by Lukas Fleischer (lfleischer) - Saturday, 04 December 2010, 13:38 GMT
Maybe we should tell all maintainers of affected packages that they'd better use "/bin/false" for daemon accounts that don't have a password, so you can add "/sbin/nologin" to your "/etc/shells" if you want.
Comment by Alex Matviychuk (alexmat) - Saturday, 04 December 2010, 13:40 GMT
Sounds daunting, do you know which packages are affected off hand?
Comment by Lukas Fleischer (lfleischer) - Saturday, 04 December 2010, 14:05 GMT
Grep'ing ABS, it seems that at least exim, sauerbraten, dovecot, gdm, lxdm, mailman, networkmanager-openconnect, rtkit and usbmuxd are affected. We'll need to double-check that none of these daemons require a user that has a password before changing these tho.
Comment by Kaiting Chen (kaitocracy) - Saturday, 04 December 2010, 16:23 GMT
For a fact exim and dovecot should be switched to /bin/false. I've been running them on /bin/false on my server for months now.
Comment by Jan de Groot (JGC) - Monday, 06 December 2010, 08:13 GMT
nologin is not a valid shell, and should not be present in /etc/shells at all. Nologin serves the same purpose as /bin/false as shell, but adds additional logging to that.

Loading...