FS#21981 - [filesystem] Please add nologin to /etc/shells
Attached to Project:
Arch Linux
Opened by Alex Matviychuk (alexmat) - Saturday, 04 December 2010, 13:08 GMT
Last edited by Pierre Schmitz (Pierre) - Sunday, 12 December 2010, 23:36 GMT
Opened by Alex Matviychuk (alexmat) - Saturday, 04 December 2010, 13:08 GMT
Last edited by Pierre Schmitz (Pierre) - Sunday, 12 December 2010, 23:36 GMT
|
Details
Description:
/sbin/nologin is not in /etc/shells, this affects accounts on the system that are setup for non shell related tasks like FTP, etc. Additional info: * Just need to add /sbin/nologin to list of shells in /etc/shells |
This task depends upon
Closed by Pierre Schmitz (Pierre)
Sunday, 12 December 2010, 23:36 GMT
Reason for closing: Won't implement
Sunday, 12 December 2010, 23:36 GMT
Reason for closing: Won't implement
Comment by
Lukas Fleischer (lfleischer) -
Saturday, 04 December 2010, 13:24 GMT
Comment by
Alex Matviychuk (alexmat) - Saturday,
04 December 2010, 13:27 GMT
Comment by
Lukas Fleischer (lfleischer) -
Saturday, 04 December 2010, 13:38 GMT
Comment by
Alex Matviychuk (alexmat) - Saturday,
04 December 2010, 13:40 GMT
Comment by
Lukas Fleischer (lfleischer) -
Saturday, 04 December 2010, 14:05 GMT
Comment by
Kaiting Chen (kaitocracy) -
Saturday, 04 December 2010, 16:23 GMT
Comment by Jan de Groot (JGC) -
Monday, 06 December 2010, 08:13 GMT
Some system/daemon users use "/sbin/nologin" as shell right now,
so adding it to "/etc/shells" wouldn't be that cool (as some
daemon users would be allowed to login using FTP and stuff).
Interesting. What's the recommended solution for having non-shell
logins that you want to give access to things like FTP to?
Maybe we should tell all maintainers of affected packages that
they'd better use "/bin/false" for daemon accounts that don't have
a password, so you can add "/sbin/nologin" to your "/etc/shells"
if you want.
Sounds daunting, do you know which packages are affected off hand?
Grep'ing ABS, it seems that at least exim, sauerbraten, dovecot,
gdm, lxdm, mailman, networkmanager-openconnect, rtkit and usbmuxd
are affected. We'll need to double-check that none of these
daemons require a user that has a password before changing these
tho.
For a fact exim and dovecot should be switched to /bin/false. I've
been running them on /bin/false on my server for months now.
nologin is not a valid shell, and should not be present in
/etc/shells at all. Nologin serves the same purpose as /bin/false
as shell, but adds additional logging to that.