From owner-freebsd-current@FreeBSD.ORG Tue Feb 24 15:04:28 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5DF9916A4CF for ; Tue, 24 Feb 2004 15:04:28 -0800 (PST) Received: from tx0.oucs.ox.ac.uk (tx0.oucs.ox.ac.uk [129.67.1.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0209343D2F for ; Tue, 24 Feb 2004 15:04:28 -0800 (PST) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from scan0.oucs.ox.ac.uk ([129.67.1.162] helo=localhost) by tx0.oucs.ox.ac.uk with esmtp (Exim 4.24) id 1AvlbG-0007Yo-G2 for freebsd-current@freebsd.org; Tue, 24 Feb 2004 23:04:27 +0000 Received: from rx0.oucs.ox.ac.uk ([129.67.1.161]) by localhost (scan0.oucs.ox.ac.uk [129.67.1.162]) (amavisd-new, port 25) with ESMTP id 28633-09 for ; Tue, 24 Feb 2004 23:04:26 +0000 (GMT) Received: from gateway.wadham.ox.ac.uk ([163.1.161.253]) by rx0.oucs.ox.ac.uk with smtp (Exim 4.24) id 1AvlbG-0007Yk-2c for freebsd-current@freebsd.org; Tue, 24 Feb 2004 23:04:26 +0000 Received: (qmail 20004 invoked by uid 0); 24 Feb 2004 23:04:26 -0000 Received: from colin.percival@wadham.ox.ac.uk by gateway by uid 71 with qmail-scanner-1.16 (sweep: 2.14/3.71. spamassassin: 2.53. Clear:. Processed in 1.690151 secs); 24 Feb 2004 23:04:26 -0000 X-Qmail-Scanner-Mail-From: colin.percival@wadham.ox.ac.uk via gateway X-Qmail-Scanner: 1.16 (Clear:. Processed in 1.690151 secs) Received: from dhcp1131.wadham.ox.ac.uk (HELO piii600.wadham.ox.ac.uk) (163.1.161.131) by gateway.wadham.ox.ac.uk with SMTP; 24 Feb 2004 23:04:24 -0000 Message-Id: <6.0.1.1.1.20040224225502.03dcfb10@imap.sfu.ca> X-Sender: cperciva@imap.sfu.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1 Date: Tue, 24 Feb 2004 23:04:21 +0000 To: David Schultz From: Colin Percival In-Reply-To: <20040224223659.GB69570@VARK.homeunix.com> References: <6.0.1.1.1.20040223171828.03de8b30@imap.sfu.ca> <20040224223659.GB69570@VARK.homeunix.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: freebsd-current@freebsd.org Subject: Re: What to do about nologin(8)? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Feb 2004 23:04:28 -0000 At 22:36 24/02/2004, David Schultz wrote: >This is the third time this issue has been discussed, so before >the same arguments are rehashed, I'd like to lay out a simple plan >that I think people are unlikely to object to. (If anyone *does* >object, please say so.) I object. :) >(1) Fix login(1) so that it disables the -p option when the target > user's shell is not in /etc/shells (unless the invoking user > is root) Adding /sbin/nologin to /etc/shells is a standard way to create ftp-only users. This may or may not be the appropriate solution, but it is widely used. >(2) Make nologin(8) setgid nobody, so rtld ignores LD_LIBRARY_PATH. Wearing my member-of-security-team hat, I have to say I'm rather unhappy with this idea. It's also been pointed out (by nectar) that there are issues with NFS if files are owned by nobody or nogroup. Colin Percival