Date: Wed, 4 Dec 2024 01:07:13 -0500 From: Paul Procacci <pprocacci@gmail.com> To: Dewayne Geraghty <dewayne@heuristicsystems.com.au> Cc: questions@freebsd.org Subject: Re: Do we need both /nonexistent and /var/empty in /etc/passwd? Message-ID: <CAFbbPugs=rkOJHm4y_6gpUsP2B%2B8GBqBqd_fYZumE344DqNe6g@mail.gmail.com> In-Reply-To: <41641e69-c7b4-4558-8d2c-e6f70906c893@heuristicsystems.com.au> References: <41641e69-c7b4-4558-8d2c-e6f70906c893@heuristicsystems.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 4, 2024 at 12:14=E2=80=AFAM Dewayne Geraghty
<dewayne@heuristicsystems.com.au> wrote:
>
> I'm making some minor tweaks to (hopefully) improve the consistency (and
> perhaps security) of my systems. So I've added requirehome to login.com,
> and everything still works :)
>
> This prompted me to examine /etc/passwd where some accounts use
> /var/empty and others /nonexistent. Can anyone explain the need to have
> both available, from either the functional or security perspective?
> This is perplexing as the following standard accounts all use the
> "shell" /usr/sbin/nologin?
>
> For reference, from /etc/passwd, the accounts with /var/empty:
> sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
> _pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
> _dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
> auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nolo=
gin
> _ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
> hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
>
> and those using home /nonexistent:
> proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
> pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
> www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
> nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
>
> I would've thought that /nonexistent is "better" but if a directory is
> tested for existence when requirehome is used, then /var/empty makes
> sense; but only with a shell other than nologin ??
>
> So lets try changing sshd homedirectory, from /var/empty to
> /nonexistent. The behaviour is unchanged, when I login to a nonpriv'ed
> account
>
> # ps -axwwu|grep dewayne
> dewayne 35394 0.0 0.5 23960 9436 - S 14:05 0:00.05 sshd:
> dewayne@pts/1 (sshd)
> # procstat -f 35394
> 35394 sshd cwd v d r------- - - - /
>
> I note that /var/empty can only be tested for existence unless root or
> group wheel,
> # ls -l /var | grep empty
> dr-xr-xr-x 2 root wheel 512 21 Mar 2016 empty
>
>
> So, is there a need to have both /var/empty and /nonexistent in /etc/pass=
wd?
>
> FWIW: On servers with a few installed applications, I note:
> # grep var/empty /etc/passwd | wc -l ; grep /nonexistent /etc/passwd | wc=
-l
> 18
> 49
>
> Regards, Dewayne.
>
You need to read hier(7).
;)
~Paul
--=20
__________________
:(){ :|:& };:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFbbPugs=rkOJHm4y_6gpUsP2B%2B8GBqBqd_fYZumE344DqNe6g>