From owner-freebsd-security  Sat May 23 21:25:46 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id VAA04854
          for freebsd-security-outgoing; Sat, 23 May 1998 21:25:46 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from antipodes.cdrom.com (castles167.castles.com [208.214.165.167])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA04649
          for <freebsd-security@freebsd.org>; Sat, 23 May 1998 21:24:35 -0700 (PDT)
          (envelope-from mike@antipodes.cdrom.com)
Received: from antipodes.cdrom.com (localhost [127.0.0.1])
	by antipodes.cdrom.com (8.8.8/8.8.5) with ESMTP id PAA02689;
	Sat, 23 May 1998 15:47:51 -0700 (PDT)
Message-Id: <199805232247.PAA02689@antipodes.cdrom.com>
X-Mailer: exmh version 2.0zeta 7/24/97
To: Are Bryne <are.bryne@communique.no>
cc: Mike Smith <mike@smith.net.au>, freebsd-security@FreeBSD.ORG
Subject: Re: SKey and locked account 
In-reply-to: Your message of "Sun, 24 May 1998 01:50:39 +0200."
             <Pine.BSF.3.96.980524014139.2969A-100000@rune.communique.no> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Sat, 23 May 1998 15:47:50 -0700
From: Mike Smith <mike@smith.net.au>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

> On Sat, 23 May 1998, Mike Smith wrote:
> 
> > No, they don't.  Administrative accounts disallow normal logins.
> > Having an invalid shell would prevent non-normal logins.
> 
> I am not sure I understand you here...

An administrative account eg. 'news' may still require a valid shell, 
even though you may not wish to allow someone to login as 'news'.

> > Having an invalid shell would prevent non-normal logins.
> > 
> > It would (perhaps) be worthwhile adding some verbiage to the 
> > description of the shell field to make it clearer that setting it to 
> > refer to /sbin/nologin is the preferred technique for preventing a user 
> > having any access to the system.  The current text assumes that the 
> > reader already possesses this knowledge.  
> 
> Then perhaps the default /nonexistent 'shell' for various password file
> entries should be changed also?

It would probably make sense to have /sbin/nologin the default shell 
for those accounts, yes.  Want to file a PR?

-- 
\\  Sometimes you're ahead,       \\  Mike Smith
\\  sometimes you're behind.      \\  mike@smith.net.au
\\  The race is long, and in the  \\  msmith@freebsd.org
\\  end it's only with yourself.  \\  msmith@cdrom.com



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message