Debian Bug report logs - #330882
base-passwd: getting shells in sync with what package tiger (security auditor) recommends

version graph

Package: base-passwd; Maintainer for base-passwd is Colin Watson <>; Source for base-passwd is src:base-passwd.

Reported by: Rogério Brito <>

Date: Fri, 30 Sep 2005 09:33:02 UTC

Severity: normal

Tags: patch, security

Merged with 274229, 581899

Found in versions 3.5.8, base-passwd/3.5.10, base-passwd/3.5.20, base-passwd/3.5.22

Fixed in version base-passwd/3.5.30

Done: Colin Watson <>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to, Colin Watson <>:
Bug#330882; Package base-passwd. Full text and rfc822 format available.

Acknowledgement sent to Rogério Brito <>:
New Bug report received and forwarded. Copy sent to Colin Watson <>. Full text and rfc822 format available.

Message #5 received at (full text, mbox):

From: Rogério Brito <>
To: Debian Bug Tracking System <>
Subject: base-passwd: getting shells in sync with what package tiger (security auditor) recommends
Date: Fri, 30 Sep 2005 06:23:58 -0300
Package: base-passwd
Version: 3.5.10
Severity: wishlist

Hi there, Colin.

I recently installed some packages in my box to learn more about its
security and vulnerabilities and, one of them, tiger gives some quite
sensible recommendations.

One of them is that the users backup, list and nobody (among others)
should not have shells that are listed in /etc/shells.

I tried changing their shells to something like /bin/false (which is
what Dan Bernstein once recommended, if I am not mistaken), but,
unfortunately, upon reinstallation of base-passwrd (due to some
filesystem corruption), it offered to change back the shells to things
listed in /etc/shells.

Some of the recommendations given by tiger are really meaningful and I
think that they should be followed for making a default Debian install a
step closer to being more secure.

Thanks for your efforts, Rogério Brito.

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/dash
Kernel: Linux
Locale: LANG=C, LC_CTYPE=pt_BR (charmap=ISO-8859-1)

Versions of packages base-passwd depends on:
ii  libc6                         2.3.5-6    GNU C Library: Shared libraries an

base-passwd recommends no packages.

-- no debconf information

Rogério Brito : :
Homepage of the algorithms package :
Homepage on freshmeat:

Forcibly Merged 274229 330882 581899. Request was from Colin Watson <> to (Mon, 17 May 2010 10:51:03 GMT) Full text and rfc822 format available.

Added tag(s) security. Request was from Piotr Engelking <> to (Sat, 07 May 2011 20:21:03 GMT) Full text and rfc822 format available.

Severity set to 'normal' from 'wishlist' Request was from Nathanael Nerode <> to (Sun, 08 Jul 2012 16:48:05 GMT) Full text and rfc822 format available.

Added tag(s) patch. Request was from Nathanael Nerode <> to (Sun, 08 Jul 2012 16:48:05 GMT) Full text and rfc822 format available.

Added blocking bug(s) of 330882: 184979 Request was from Colin Watson <> to (Fri, 01 Nov 2013 18:06:15 GMT) Full text and rfc822 format available.

Message #16 received at (full text, mbox):

From: Colin Watson <>
Subject: Bug#274229: fixed in base-passwd 3.5.30
Date: Tue, 07 Jan 2014 16:03:29 +0000
Source: base-passwd
Source-Version: 3.5.30

We believe that the bug you reported is fixed in the latest version of
base-passwd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Colin Watson <> (supplier of updated base-passwd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA256

Format: 1.8
Date: Tue, 07 Jan 2014 15:41:06 +0000
Source: base-passwd
Binary: base-passwd
Architecture: source i386
Version: 3.5.30
Distribution: unstable
Urgency: medium
Maintainer: Colin Watson <>
Changed-By: Colin Watson <>
 base-passwd - Debian base system master password and group files
Closes: 184979 274229
 base-passwd (3.5.30) unstable; urgency=medium
   [ Colin Watson ]
   * Remove and configure, now autogenerated by dh-autoreconf.
   * Change the shell of all global static users other than root (which
     retains /bin/sh) and sync (as /bin/sync is rather harmless) to
     /usr/sbin/nologin (closes: #274229; LP: #216813, #248844).
   * Policy version 3.9.5.
   [ Russ Allbery ]
   * Add support for debconf prompting to update-passwd (closes: #184979).
 fbd250a511e09d67ebbfd857b272295b3b9a9c9b 1749 base-passwd_3.5.30.dsc
 b2e529b5e93829da0e3bb1a75d45fc51886c3f0b 52854 base-passwd_3.5.30.tar.gz
 1c18efc68a80afef0fb1a9fdc2c6872a2a57734c 51238 base-passwd_3.5.30_i386.deb
 60398ff42268797fd71b09cbcc8562eed5b04038283d844d500c0242fcfc9b7b 1749 base-passwd_3.5.30.dsc
 b3d23e773bfb7bd3fca4c92e711d2de7aaaea975db1433a09315ddca4371042f 52854 base-passwd_3.5.30.tar.gz
 4e5ddb9985f1e1432981b80a4419329ce7943fb953b4bdcba41ddabc127a18dc 51238 base-passwd_3.5.30_i386.deb
 edb88d8ada16c12ca35423a56c0c5f9c 1749 admin required base-passwd_3.5.30.dsc
 b8d33533743267fa9bab7475798c9d50 52854 admin required base-passwd_3.5.30.tar.gz
 045e4f293054e1102d55a651055bdbce 51238 admin required base-passwd_3.5.30_i386.deb

Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Colin Watson <> -- Debian developer


Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Fri Apr 18 21:55:07 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.