[Pkg-shadow-devel] Bug#960318: passwd: pwck does not recognize meaning of "/nonexistent" home directory

Jason Franklin jason.franklin at quoininc.com
Mon May 11 19:42:13 BST 2020


Package: passwd
Version: 1:4.5-1.1
Severity: normal
Tags: patch

Dear Maintainer(s):

The included patch helps the "pwck" command to function more helpfully
on Debian by having it recognize the convention of using "/nonexistent"
for the home directory of a user who intentionally does not have a home
directory.

This will allow "pwck" to properly succeed when some users have this
string as their home directory.  It will prevent a false failure and
false error messages such as these:

  user 'lp': directory '/nonexistent' does not exist
  user 'news': directory '/nonexistent' does not exist
  user 'uucp': directory '/nonexistent' does not exist
  ...
  user 'www-data': directory '/nonexistent' does not exist
  user '_apt': directory '/nonexistent' does not exist
  user 'nobody': directory '/nonexistent' does not exist
  pwck: no changes

The patch has already been accepted upstream.  See the link below to the
GitHub pull request for more discussion...

  https://github.com/shadow-maint/shadow/pull/251

The patch follows here:

--- a/README
+++ b/README
@@ -69,6 +69,7 @@ Guy Maor <maor at debian.org>
 Hrvoje Dogan <hdogan at bjesomar.srce.hr>
 Jakub Hrozek <jhrozek at redhat.com>
 Janos Farkas <chexum at bankinf.banki.hu>
+Jason Franklin <jason.franklin at quoininc.com>
 Jay Soffian <jay at lw.net>
 Jesse Thilo <Jesse.Thilo at pobox.com>
 Joey Hess <joey at kite.ml.org>
--- a/etc/login.defs
+++ b/etc/login.defs
@@ -295,7 +295,7 @@ CHFN_AUTH		yes
 # any combination of letters "frwh" (full name, room number, work
 # phone, home phone).  If not defined, no changes are allowed.
 # For backward compatibility, "yes" = "rwh" and "no" = "frwh".
-# 
+#
 CHFN_RESTRICT		rwh
 
 #
@@ -383,6 +383,14 @@ CHFN_RESTRICT		rwh
 DEFAULT_HOME	yes
 
 #
+# The pwck(8) utility emits a warning for any system account with a home
+# directory that does not exist.  Some system accounts intentionally do
+# not have a home directory.  Such accounts may have this string as
+# their home directory in /etc/passwd to avoid a spurious warning.
+#
+NONEXISTENT	/nonexistent
+
+#
 # If this file exists and is readable, login environment will be
 # read from it.  Every line should be in the form name=value.
 #
--- a/lib/getdef.c
+++ b/lib/getdef.c
@@ -105,6 +105,7 @@ static struct itemdef def_table[] = {
 	{"MAIL_FILE", NULL},
 	{"MAX_MEMBERS_PER_GROUP", NULL},
 	{"MD5_CRYPT_ENAB", NULL},
+	{"NONEXISTENT", NULL},
 	{"PASS_MAX_DAYS", NULL},
 	{"PASS_MIN_DAYS", NULL},
 	{"PASS_WARN_AGE", NULL},
--- a/man/Makefile.am
+++ b/man/Makefile.am
@@ -152,6 +152,7 @@ login_defs_v = \
 	MD5_CRYPT_ENAB.xml \
 	MOTD_FILE.xml \
 	NOLOGINS_FILE.xml \
+	NONEXISTENT.xml \
 	OBSCURE_CHECKS_ENAB.xml \
 	PASS_ALWAYS_WARN.xml \
 	PASS_CHANGE_TRIES.xml \
--- a/man/login.defs.5.xml
+++ b/man/login.defs.5.xml
@@ -67,6 +67,7 @@
 <!ENTITY MD5_CRYPT_ENAB        SYSTEM "login.defs.d/MD5_CRYPT_ENAB.xml">
 <!ENTITY MOTD_FILE             SYSTEM "login.defs.d/MOTD_FILE.xml">
 <!ENTITY NOLOGINS_FILE         SYSTEM "login.defs.d/NOLOGINS_FILE.xml">
+<!ENTITY NONEXISTENT           SYSTEM "login.defs.d/NONEXISTENT.xml">
 <!ENTITY OBSCURE_CHECKS_ENAB   SYSTEM "login.defs.d/OBSCURE_CHECKS_ENAB.xml">
 <!ENTITY PASS_ALWAYS_WARN      SYSTEM "login.defs.d/PASS_ALWAYS_WARN.xml">
 <!ENTITY PASS_CHANGE_TRIES     SYSTEM "login.defs.d/PASS_CHANGE_TRIES.xml">
@@ -203,6 +204,7 @@
       &MD5_CRYPT_ENAB;
       &MOTD_FILE;
       &NOLOGINS_FILE;
+      &NONEXISTENT;
       &OBSCURE_CHECKS_ENAB;
       &PASS_ALWAYS_WARN;
       &PASS_CHANGE_TRIES;
--- /dev/null
+++ b/man/login.defs.d/NONEXISTENT.xml
@@ -0,0 +1,41 @@
+<!--
+   Copyright (c) 1991 - 1993, Julianne Frances Haugh
+   Copyright (c) 1991 - 1993, Chip Rosenthal
+   Copyright (c) 2007 - 2009, Nicolas Fran├žois
+   All rights reserved.
+
+   Redistribution and use in source and binary forms, with or without
+   modification, are permitted provided that the following conditions
+   are met:
+   1. Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+   2. Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+   3. The name of the copyright holders or contributors may not be used to
+      endorse or promote products derived from this software without
+      specific prior written permission.
+
+   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+   ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+   PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT
+   HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+-->
+<varlistentry>
+  <term><option>NONEXISTENT</option> (string)</term>
+  <listitem>
+    <para>
+      If a system account intentionally does not have a home directory
+      that exists, this string can be provided in the /etc/passwd
+      entry for the account to indicate this.  The result is that pwck
+      will not emit a spurious warning for this account.
+    </para>
+  </listitem>
+</varlistentry>
--- a/man/pwck.8.xml
+++ b/man/pwck.8.xml
@@ -30,6 +30,7 @@
 -->
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!ENTITY NONEXISTENT           SYSTEM "login.defs.d/NONEXISTENT.xml">
 <!ENTITY PASS_MAX_DAYS         SYSTEM "login.defs.d/PASS_MAX_DAYS.xml">
 <!ENTITY PASS_MIN_DAYS         SYSTEM "login.defs.d/PASS_MIN_DAYS.xml">
 <!ENTITY PASS_WARN_AGE         SYSTEM "login.defs.d/PASS_WARN_AGE.xml">
@@ -266,6 +267,7 @@
       tool:
     </para>
     <variablelist>
+      &NONEXISTENT;
       &PASS_MAX_DAYS;
       &PASS_MIN_DAYS;
       &PASS_WARN_AGE;
--- a/src/pwck.c
+++ b/src/pwck.c
@@ -527,12 +527,16 @@ static void check_pw_file (int *errors,
 			 * Make sure the home directory exists
 			 */
 			if (!quiet && (access (pwd->pw_dir, F_OK) != 0)) {
+				const char *nonexistent = getdef_str("NONEXISTENT");
+
 				/*
-				 * Home directory doesn't exist, give a warning
+				 * Home directory does not exist, give a warning (unless intentional)
 				 */
-				printf (_("user '%s': directory '%s' does not exist\n"),
-						pwd->pw_name, pwd->pw_dir);
-				*errors += 1;
+				if (NULL == nonexistent || strcmp (pwd->pw_dir, nonexistent) != 0) {
+					printf (_("user '%s': directory '%s' does not exist\n"),
+							pwd->pw_name, pwd->pw_dir);
+					*errors += 1;
+				}
 			}
 		}
 

Thanks for considering this modification!

Best wishes,
Jason Franklin <jason.franklin at quoininc.com>

-- System Information:
Debian Release: 10.3
  APT prefers stable-updates
  APT policy: (990, 'stable-updates'), (500, 'stable'), (100, 'unstable'), (10, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.5.0-0.bpo.2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages passwd depends on:
ii  libaudit1       1:2.8.4-3
ii  libc6           2.28-10
ii  libpam-modules  1.3.1-5
ii  libpam0g        1.3.1-5
ii  libselinux1     2.8-1+b1
ii  libsemanage1    2.8-2

passwd recommends no packages.

passwd suggests no packages.

-- no debconf information


More information about the Pkg-shadow-devel mailing list