(Apologies to Colin and Phillip for the duplicate. It helps if I send to the right debian-devel list.)
Hello all, Debian currently creates most of its system users with a valid shell of /bin/sh. I was reminded of this problem by the recent closure of #588367, and bug #274229 against base-passwd is still open and has been for years. Phillip rightfully is following the precedent of base-passwd, but I think this is globally incorrect and should be fixed everywhere. I realize the theory is that this doesn't matter, since the accounts are locked in /etc/shadow. However, there are ways to configure a system where that may or may not be honored for every possible authentication path (such as Kerberos authentications where the existence of the account is checked but the PAM stack is not run, or where /etc/shadow is ignored in favor of some other data source due to nsswitch configuration). It increases the risk that a user may be able to log on to a system account if there is a conflict between some other source of authentication information (local Kerberos, LDAP, etc.) and the local /etc/passwd and /etc/shadow files. That being said, the *primary* reason that I would like to see this changed is that the valid shells are an audit finding in literally every system-level audit that we go through, and every time that happens I have to explain again why it's probably safe (or diverge from Debian and deal with prompts every time base-passwd is upgraded). This is a standard checkbox on a UNIX system audit, and this default honestly makes Debian look bad, even if it's a trivial matter. Even if the risk is low, I see absolutely no reason why these accounts should have valid shells, and therefore don't understand why we wouldn't want to just change them to /usr/sbin/nologin. The local administrator has other ways of getting a shell with that account by overriding the shell with su, etc., if they really want to interactively be that user. Colin, this bug has been dormant for a very long time, and I've previously pinged it with no response. Is that just due to lack of time, or were you not sure whether this should change? Is this something for which you want the broader advice of the project or the technical committee? -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87eh70jdg8....@windlord.stanford.edu
