Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 4 Dec 2024 16:13:34 +1100
From:      Dewayne Geraghty <dewayne@heuristicsystems.com.au>
To:        questions@freebsd.org
Subject:   Do we need both /nonexistent and /var/empty in /etc/passwd?
Message-ID:  <41641e69-c7b4-4558-8d2c-e6f70906c893@heuristicsystems.com.au>
next in thread | raw e-mail | index | archive | help 
I'm making some minor tweaks to (hopefully) improve the consistency (and 
perhaps security) of my systems. So I've added requirehome to login.com, 
and everything still works :)

This prompted me to examine /etc/passwd where some accounts use 
/var/empty and others /nonexistent.  Can anyone explain the need to have 
both available, from either the functional or security perspective? 
This is perplexing as the following standard accounts all use the 
"shell" /usr/sbin/nologin?

For reference, from /etc/passwd, the accounts with /var/empty:
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
_ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin

and those using home /nonexistent:
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin

I would've thought that /nonexistent is "better" but if a directory is 
tested for existence when requirehome is used, then /var/empty makes 
sense; but only with a shell other than nologin ??

So lets try changing sshd homedirectory, from /var/empty to 
/nonexistent.  The behaviour is unchanged, when I login to a nonpriv'ed 
account

# ps -axwwu|grep dewayne
dewayne 35394   0.0  0.5 23960 9436  -  S    14:05      0:00.05 sshd: 
dewayne@pts/1 (sshd)
# procstat -f 35394
35394 sshd               cwd v d r-------   -       - -   /

I note that /var/empty can only be tested for existence unless root or 
group wheel,
# ls -l /var | grep empty
dr-xr-xr-x   2 root    wheel     512 21 Mar  2016 empty


So, is there a need to have both /var/empty and /nonexistent in /etc/passwd?

FWIW: On servers with a few installed applications, I note:
# grep var/empty /etc/passwd | wc -l ; grep /nonexistent /etc/passwd | wc -l
       18
       49

Regards, Dewayne.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41641e69-c7b4-4558-8d2c-e6f70906c893>