From owner-freebsd-arch@FreeBSD.ORG Wed Jul 5 13:31:08 2006 Return-Path: X-Original-To: freebsd-arch@freebsd.org Delivered-To: freebsd-arch@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1549716A4DD for ; Wed, 5 Jul 2006 13:31:08 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd3mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B82143D45 for ; Wed, 5 Jul 2006 13:31:07 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd2mr2so.prod.shaw.ca (pd2mr2so-qfe3.prod.shaw.ca [10.0.141.109]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J1X000C9MVU2AA0@l-daemon> for freebsd-arch@freebsd.org; Wed, 05 Jul 2006 07:31:06 -0600 (MDT) Received: from pn2ml3so.prod.shaw.ca ([10.0.121.147]) by pd2mr2so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J1X0030WMVUDQJ0@pd2mr2so.prod.shaw.ca> for freebsd-arch@freebsd.org; Wed, 05 Jul 2006 07:31:06 -0600 (MDT) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0J1X00JN5MVTF1E0@l-daemon> for freebsd-arch@freebsd.org; Wed, 05 Jul 2006 07:31:06 -0600 (MDT) Received: (qmail 12291 invoked from network); Wed, 05 Jul 2006 13:31:00 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Wed, 05 Jul 2006 13:31:00 +0000 Date: Wed, 05 Jul 2006 06:30:59 -0700 From: Colin Percival In-reply-to: <20060705054251.GF5220@djedefre.onera> To: "Jari Aalto+mail.linux" , "login: please move nologin under /bin directory" <374525@bugs.debian.org> Message-id: <44ABBF13.8030602@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 References: <20060509153807.16297.97467.reportbug@cante> <20060620050937.GB18750@djedefre.onera> <20060704192449.GC76109@submonkey.net> <20060705054251.GF5220@djedefre.onera> User-Agent: Thunderbird 1.5 (X11/20060416) Cc: "exim4-daemon-heavy: Use /bin/nologin instead of /bin/false in /etc/passwd" <366546-maintonly@bugs.debian.org>, "pidentd: \[security\] use /bin/nologin instead of /bin/false in /etc/passwd" <366545-maintonly@bugs.debian.org>, Ceri Davies , mstone@debian.org, freebsd-arch@freebsd.org, "openssh-server: \[security\] use /bin/nologin instead of /bin/false" <366541-maintonly@bugs.debian.org>, anibal@debian.org Subject: Re: [Pkg-shadow-devel] Bug#374525: Bug#366546: Mail delivery failed: returning message to sender X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jul 2006 13:31:08 -0000 Christian Perrier wrote: > As a first reaction and as one of the shadow maintainer, I'm now > inclined to agree with the choice of the FreeBSD team here. > > The rationale is clear... > > I'd like to hear the one from OpenBSD to put nologin in /sbin > though.. they might have a different definition of what goes in /sbin FWIW, nologin was in /sbin in BSD 4.4; this is almost certainly why OpenBSD still has /sbin/nologin. I moved FreeBSD's nologin to /usr/sbin two years ago, because 1. nologin needs to be statically linked to avoid linker environment security issues, 2. logging attempts to log in to a nologinned account requires that syslog code be pulled in (which significantly increases the size of a statically linked binary), 3. we like to keep the root filesystem small, and 4. Since nologin is intended for use in multiuser mode, there's no reason for it to be on the root filesystem -- in single user mode, users who aren't supposed to be allowed to login will never get to the point of running a shell (nologin or otherwise). In short, under the BSD hierarchy rules, nologin should be in /usr/sbin; any systems behaving otherwise are doing so for historical reasons only. Colin Percival