[Pkg-shadow-devel] Bug#191038: marked as done (Please document that /etc/nologin can be a symlink)

Debian Bug Tracking System owner at bugs.debian.org
Mon Oct 3 19:03:10 UTC 2005 

Your message dated Mon, 3 Oct 2005 20:46:37 +0200
with message-id <20051003184637.GG17909 at djedefre.onera>
and subject line Closing this bug
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 28 Apr 2003 06:16:08 +0000
>From jaq at spacepants.org Mon Apr 28 01:16:07 2003
Return-path: <jaq at spacepants.org>
Received: from octopus.com.au [61.8.3.8] 
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 19A1vr-00018B-00; Mon, 28 Apr 2003 01:16:07 -0500
Received: from localhost (localhost [127.0.0.1])
	by octopus.com.au (Postfix) with ESMTP
	id 50436D7AD34; Mon, 28 Apr 2003 16:15:57 +1000 (EST)
Received: by octopus.com.au (Postfix, from userid 1047)
	id 10CEDD7AD28; Mon, 28 Apr 2003 16:15:57 +1000 (EST)
Received: from willow.home.spacepants.org (unknown [202.4.235.65])
	by octopus.com.au (Postfix) with ESMTP
	id 6C466D7AB01; Mon, 28 Apr 2003 16:15:55 +1000 (EST)
Received: by willow.home.spacepants.org (Postfix, from userid 1000)
	id 5FC1DCB9FF; Mon, 28 Apr 2003 16:11:06 +1000 (EST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Jamie Wilkinson <jaq at debian.org>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: Allow both /etc/nologin and /run/nologin to prevent a non-root user
	from logging in
X-Mailer: reportbug 2.10.1
Date: Mon, 28 Apr 2003 16:11:06 +1000
Message-Id: <20030428061106.5FC1DCB9FF at willow.home.spacepants.org>
X-Virus-Scanned: by AMaViS new-20020517
Delivered-To: submit at bugs.debian.org
X-Spam-Status: No, hits=-12.3 required=4.0
	tests=BAYES_01,HAS_PACKAGE,PATCH_UNIFIED_DIFF
	autolearn=ham version=2.53
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.53 (1.174.2.15-2003-03-30-exp)

Package: login
Version: 1:4.0.3-7.1
Severity: normal
Tags: patch

Hi,

As discussed on debian-devel, here's a patch to allow login to use both
/etc/nologin and /run/nologin to decide whether or not non-root users
should be able to log in.  The point of this exercise is to make /etc
totally under the control of the admin, that is no programs should be
allowed to write state to /etc.

/etc/nologin is now, then, solely an admin created config file.
/run/nologin is a state file created by shutdown.  The existence of
either of these files prevents a non-root user from logging in, with
preference given to the admin created file.

This patch isn't dependant on /run existing, obviously, as the existing
behaviour is preserved.

diff -ruN shadow-4.0.3.o/debian/changelog shadow-4.0.3/debian/changelog
--- shadow-4.0.3.o/debian/changelog	2003-04-02 10:41:33.000000000 +1000
+++ shadow-4.0.3/debian/changelog	2003-04-03 23:49:12.000000000 +1000
@@ -1,3 +1,10 @@
+shadow (1:4.0.3-7.1) experimental; urgency=low
+
+  * Check for both /etc/nologin and /run/nologin, as the prior is an
+    admin-created conffile and the latter is a program-created statefile.
+
+ -- Jamie Wilkinson <jaq at debian.org>  Tue,  1 Apr 2003 23:24:28 +1000
+
 shadow (1:4.0.3-7) unstable; urgency=low
 
   * When relocating a user's home directory, don't fail and remove the new
diff -ruN shadow-4.0.3.o/src/login.c shadow-4.0.3/src/login.c
--- shadow-4.0.3.o/src/login.c	2003-04-02 10:41:33.000000000 +1000
+++ shadow-4.0.3/src/login.c	2003-04-02 10:43:18.000000000 +1000
@@ -303,6 +303,10 @@
 static void check_nologin (void)
 {
 	char *fname;
+	/* sysvinit moved its nologin to /run because while an admin-created
+	 * nologin is a config file, a sysvinit-created nologin is program
+	 * state.  So, just test for both files. */
+	char sysv_nologin[] = "/run/nologin";
 
 	/*
 	 * Check to see if system is turned off for non-root users.
@@ -312,7 +316,13 @@
 	 * forgotten about it ...
 	 */
 
+	/* give precedence to /etc/nologin, as the admin probably writes a
+	 * better nologin message than sysvinit */
 	fname = getdef_str ("NOLOGINS_FILE");
+	if (fname == NULL || access(fname, F_OK) != 0) {
+	    fname = sysv_nologin;
+	}
+	
 	if (fname != NULL && access (fname, F_OK) == 0) {
 		FILE *nlfp;
 		int c;

-- System Information:
Debian Release: testing/unstable
Architecture: powerpc
Kernel: Linux willow 2.4.20-ben9 #1 Sat Mar 29 01:05:19 EST 2003 ppc
Locale: LANG=en_AU, LC_CTYPE=en_AU

Versions of packages login depends on:
ii  libc6                         2.3.1-16   GNU C Library: Shared libraries an
ii  libpam-modules                0.76-9.1   Pluggable Authentication Modules f
ii  libpam0g                      0.76-9.1   Pluggable Authentication Modules l

-- no debconf information


---------------------------------------
Received: (at 191038-done) by bugs.debian.org; 3 Oct 2005 18:47:18 +0000
>From bubulle at kheops.frmug.org Mon Oct 03 11:47:18 2005
Return-path: <bubulle at kheops.frmug.org>
Received: from perrier.eu.org (kheops.perrier.eu.org) [81.56.227.253] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1EMVLJ-0000Yw-00; Mon, 03 Oct 2005 11:47:18 -0700
Received: from localhost (localhost [127.0.0.1])
	by kheops.perrier.eu.org (Postfix) with ESMTP id D2DAB4F978
	for <191038-done at bugs.debian.org>; Mon,  3 Oct 2005 20:46:41 +0200 (CEST)
Received: from kheops.perrier.eu.org ([127.0.0.1])
	by localhost (kheops [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 04223-05 for <191038-done at bugs.debian.org>;
	Mon, 3 Oct 2005 20:46:41 +0200 (CEST)
Received: from mykerinos.kheops.frmug.org (mykerinos.kheops.frmug.org [192.168.1.3])
	by kheops.perrier.eu.org (Postfix) with ESMTP id 094414F975
	for <191038-done at bugs.debian.org>; Mon,  3 Oct 2005 20:46:37 +0200 (CEST)
Received: by mykerinos.kheops.frmug.org (Postfix, from userid 1000)
	id AE93A40B053; Mon,  3 Oct 2005 20:46:37 +0200 (CEST)
Date: Mon, 3 Oct 2005 20:46:37 +0200
From: Christian Perrier <bubulle at debian.org>
To: 191038-done at bugs.debian.org
Subject: Closing this bug
Message-ID: <20051003184637.GG17909 at djedefre.onera>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
User-Agent: Mutt/1.5.11
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at kheops.frmug.org
Content-Transfer-Encoding: quoted-printable
Delivered-To: 191038-done at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no 
	version=2.60-bugs.debian.org_2005_01_02

After discussion with upstream, it appears that documenting that some
config file can be a symlink could be overkill. After all, why
documenting this for=A0:etc/nologin and not for all other files in /etc.

Hence closing.


--=20

More information about the Pkg-shadow-devel mailing list