From owner-freebsd-current@FreeBSD.ORG  Mon Feb 23 09:45:16 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2DB2116A4CF
	for <freebsd-current@freebsd.org>;
	Mon, 23 Feb 2004 09:45:16 -0800 (PST)
Received: from tx3.oucs.ox.ac.uk (tx3.oucs.ox.ac.uk [163.1.2.167])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D7F5D43D2F
	for <freebsd-current@freebsd.org>;
	Mon, 23 Feb 2004 09:45:15 -0800 (PST)
	(envelope-from colin.percival@wadham.ox.ac.uk)
Received: from scan3.oucs.ox.ac.uk ([163.1.2.166] helo=localhost)
	by tx3.oucs.ox.ac.uk with esmtp (Exim 4.24)
	id 1AvK8p-00033p-Mh
	for freebsd-current@freebsd.org; Mon, 23 Feb 2004 17:45:15 +0000
Received: from rx3.oucs.ox.ac.uk ([163.1.2.165])
 by localhost (scan3.oucs.ox.ac.uk [163.1.2.166]) (amavisd-new, port 25)
 with ESMTP id 11743-01 for <freebsd-current@freebsd.org>;
 Mon, 23 Feb 2004 17:45:14 +0000 (GMT)
Received: from gateway.wadham.ox.ac.uk ([163.1.161.253])
	by rx3.oucs.ox.ac.uk with smtp (Exim 4.24)
	id 1AvK8o-00033j-CN
	for freebsd-current@freebsd.org; Mon, 23 Feb 2004 17:45:14 +0000
Received: (qmail 360 invoked by uid 0); 23 Feb 2004 17:45:14 -0000
Received: from colin.percival@wadham.ox.ac.uk by gateway by uid 71 with
	qmail-scanner-1.16  (sweep: 2.14/3.71. spamassassin: 2.53.  Clear:. 
	Processed in 2.401524 secs); 23 Feb 2004 17:45:14 -0000
X-Qmail-Scanner-Mail-From: colin.percival@wadham.ox.ac.uk via gateway
X-Qmail-Scanner: 1.16 (Clear:. Processed in 2.401524 secs)
Received: from dhcp1131.wadham.ox.ac.uk (HELO piii600.wadham.ox.ac.uk)
	(163.1.161.131)
	by gateway.wadham.ox.ac.uk with SMTP; 23 Feb 2004 17:45:11 -0000
Message-Id: <6.0.1.1.1.20040223171828.03de8b30@imap.sfu.ca>
X-Sender: cperciva@imap.sfu.ca (Unverified)
X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1
Date: Mon, 23 Feb 2004 17:45:07 +0000
To: freebsd-current@freebsd.org
From: Colin Percival <colin.percival@wadham.ox.ac.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Subject: What to do about nologin(8)?
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Feb 2004 17:45:16 -0000

   As anyone who reads cvs-all (or Mark Johnston's wonderful
summaries thereof) will know, I recently added logging into
nologin(8): Instead of simply printing an error message, it
now (via syslog) records the refused login attempt.
   For security reasons, nologin(8) must be statically linked;
as a result, adding logging has increased the binary size by
slightly over 100K (on i386).  For historical reasons (which
is to say, "nobody seems to know why"), nologin is located in
/sbin, which means that this has a non-trivial effect upon
the space used on the root partition.  Some people are unhappy
about this.
   I can see a number of possible options; I'd like to hear
opinions on which would be the best.

1. Leave everything as it is right now.
    Pro: Simplicity; logging is useful.
    Con: Bloating of the root filesystem.
2. Revert to the previous situation, without any logging.
    Pro: Saves space on the root filesystem
    Con: Logging would be useful.
3. Move nologin(8) to /usr/sbin
    Pro: There is no reason for nologin(8) to be in /sbin,
         since it isn't needed in single-user mode; this
         would retain logging without bloating the root fs.
    Con: Everyone who has hard-coded /sbin/nologin would
         have to fix their code.
4. Move nologin(8) to /usr/sbin, leave a symlink behind.
    Pro: Any time that users would be trying to log in,
         /usr/sbin should be mounted, so this should give
         the desired behaviour without bloating /.
    Con: [ -f /sbin/nologin ] would fail, which might be
         problematic.
5. Move nologin(8) to /usr/sbin, and leave /sbin/nologin
    behind with logging disabled.
    Pro: System administrators who want to record logins
         refused by nologin can do so easily; anyone who
         doesn't need this will see the same behaviour as
         in the past.
    Con: Having two different binaries with the same name
         in the path might cause problems.
6. Get rid of nologin(8) completely, and tell people to
    install Wes Peters' sysutils/no-login port instead.
    Pro: It would save space on the root filesystem, and
         even reduce buildworld time by somewhere around
         half a second. :)

Colin Percival