Colin Percival wrote: > At 22:36 24/02/2004, David Schultz wrote: > >> (1) Fix login(1) so that it disables the -p option when the target >> user's shell is not in /etc/shells (unless the invoking user >> is root) > > Adding /sbin/nologin to /etc/shells is a standard way to create > ftp-only users. Putting /sbin/nologin as the user's shell in /etc/passwd is quite standard, yes, for exactly the reason you describe. Adding it to /etc/shells is a very different matter, though. My understanding has always been that /etc/shells is intended to list the "standard" *interactive* user shells. Special or restricted shells should not be listed there. In particular, /sbin/nologin should certainly not be in /etc/shells. chpass(1) has some comments on this. getusershell(3) and shells(5) are admittedly pretty vague. Perhaps some manpage-tuning is in order. >> (2) Make nologin(8) setgid nobody, so rtld ignores LD_LIBRARY_PATH. > > Wearing my member-of-security-team hat, I have to say I'm rather > unhappy with this idea. It's also been pointed out (by nectar) that > there are issues with NFS if files are owned by nobody or nogroup. Even though I tossed it out as an option, I'm uncomfortable with it as well just on the "unnecessary setgid" principle. My preference at the moment is for nologin(8): * to be statically linked so it cannot easily be trojaned * to throw out the current environment and create a clean environment from scratch before invoking system("logger...") to perform any logging. This would keep the size of nologin(8) down while keeping it pretty safe. Tim KientzleReceived on Tue Feb 24 2004 - 14:56:46 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:44 UTC