[Pkg-shadow-devel] Bug#433587: Bug#433587: request to add /usr/sbin/nologin to /etc/shells
Justin Pryzby
jpryzby at quoininc.com
Wed Jul 18 12:33:59 UTC 2007
On Wed, Jul 18, 2007 at 02:05:35AM -0500, Mark Nipper wrote:
> On 18 Jul 2007, Christian Perrier wrote:
> > At first reaction, I am not very keen at doing this *by default*.
> >
> > nologin is intended as a replacement shell field for accounts that
> > have been disabled. So, making it a valid shell defeats that.
> >
> > I recommend you to do it manually locally with add-shell(8)
> >
> > Other shadow maintainers, do we have an agreement, here?
>
> Well, I did add it manually of course to work around the
> issue. But I think this is the exact type of situation where it
> should be defined as a valid shell in /etc/shells.
>
> The reason to not include it would be if there is a
> security situation where having it defined allows some other
> unintended level of access. If such a situation exists, then I
> can understand not having it in the list. I just wasn't aware of
> any such situation whereas I clearly ran across the opposite with
> vsftpd.
Yeah, see shells(5) and related bug #429697 against "noshell", in
particular msg 10.
I think only "normal" shells should be listed in /etc/shells by
default.
More information about the Pkg-shadow-devel
mailing list