[Pkg-shadow-devel] Bug#720581: login package provides wrong dir for nologin
Bob Proulx
bob at proulx.com
Fri Aug 23 16:23:50 UTC 2013
tag 720581 + moreinfo
thanks
Ian Bolton wrote:
> * What exactly did you do (or not do) that was effective (or
> ineffective)?
>
> ran tiger security tool with nologin in /etc/shells/
The /usr/sbin/nologin program should never be configured in
/etc/shells. That would enable it as a valid shell for such services
such as ftp that checks if the user's shell exists but does not
actually invoke it.
It also creates the somewhat humorous possibility of a user changing
their shell to the nologin shell creating a hang state that they
cannot recover from. I have actually seen this situation appear and
happen in real life.
> * What was the outcome of this action?
>
> login package looked for nologin in /sbin/nologin while login
> package provides it in /usr/sbin/nologin
What were the exact values of the relevant lines from:
/etc/passwd
/etc/shells
I think you must have listed /sbin/nologin in /etc/passwd file instead
of /usr/sbin/nologin. The login program looks at whatever program is
configured there.
Bob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20130823/baf4cdf9/attachment.sig>
More information about the Pkg-shadow-devel
mailing list