From owner-freebsd-bugs@FreeBSD.ORG Wed Apr 21 23:48:04 2010 Return-Path: Delivered-To: freebsd-bugs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E3AF7106564A for ; Wed, 21 Apr 2010 23:48:04 +0000 (UTC) (envelope-from phoffman@proper.com) Received: from hoffman.proper.com (Hoffman.Proper.COM [207.182.41.81]) by mx1.freebsd.org (Postfix) with ESMTP id A6D6C8FC17 for ; Wed, 21 Apr 2010 23:48:04 +0000 (UTC) Received: from [10.20.30.158] (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id o3LNYC8t083586 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 21 Apr 2010 16:34:13 -0700 (MST) (envelope-from phoffman@proper.com) Mime-Version: 1.0 Message-Id: In-Reply-To: <44mxww5ta3.fsf@be-well.ilk.org> References: <201004201507.o3KF7Ydf006145@www.freebsd.org> <44vdbk6a48.fsf@be-well.ilk.org> <44mxww5ta3.fsf@be-well.ilk.org> Date: Wed, 21 Apr 2010 16:34:10 -0700 To: Lowell Gilbert , freebsd-bugs@freebsd.org From: Paul Hoffman Content-Type: text/plain; charset="us-ascii" Cc: Subject: Re: conf/145887: /usr/sbin/nologin should be in the default /etc/shells X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Apr 2010 23:48:05 -0000 At 6:34 PM -0400 4/21/10, Lowell Gilbert wrote: >Paul Hoffman writes: > >> At 12:31 PM -0400 4/21/10, Lowell Gilbert wrote: >>>Paul Hoffman writes: >>> >>>> If adduser offers it as a shell, it should be listed in /etc/shells; otherwise, this kind of error will nail admins. >>> >>>This is exactly what nologin is for. I wouldn't want to see all of the >>>daemon-owning accounts starting to pass getusershell(3). >> >> Sorry, I don't understand what you are saying. I thought the fact that >> /usr/sbin/nologin exists and is executable is so that it *could* be >> listed in /etc/shells safely. > >I'm not really an expert, but I believe you are incorrect. The >documentation for nologin(8) says otherwise ("intended as a replacement >shell field for accounts that have been disabled"). Furthermore, other >functionality is available to accounts with valid shells. System >accounts are given nologin as a shell for this reason. This sounds like the logic is that /usr/sbin/nologin is meant for system accounts only. If so, why is it offered by "adduser"? >Putting nologin >into shells by default would open up, for example, the "bind" user to be >able to FTP into the box on many existing systems. This would Not be Good. That would only be true if you gave the "bind" user a password. > > > /usr/sbin/nologin is a log better than >> giving the user a shell that does not exist. > >Somewhat, yes. The problem is that many servers in the ports collection (such as mail access programs like qpoper) will only let clients connect if the client has a shell that is listed in /etc/shells. From a security standpoint, it would be obviously better to give these users the ability to act as clients but not to be able to log in using the shells that are listed by default (sh, csh, or tcsh). It sounds like you are suggesting that these users should be given a *different* shell, and that shell be added to /etc/shells. Why would that be any better than adding /usr/sbin/nologin to /etc/shells? Or, are you suggesting that all the servers in ports that rely on /etc/shells shouldn't? If so, why do we allow them at all? --Paul Hoffman