Debian Bug report logs - #581899
Default login shell for $UID 1-99 should be /usr/sbin/nologin

version graph

Package: base-passwd; Maintainer for base-passwd is Colin Watson <cjwatson@debian.org>; Source for base-passwd is src:base-passwd.

Reported by: Aaron Toponce <aaron.toponce@gmail.com>

Date: Mon, 17 May 2010 02:36:11 UTC

Severity: normal

Tags: patch, security

Merged with 274229, 330882

Found in versions 3.5.8, base-passwd/3.5.10, base-passwd/3.5.20, base-passwd/3.5.22

Fixed in version base-passwd/3.5.30

Done: Colin Watson <cjwatson@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Colin Watson <cjwatson@debian.org>:
Bug#581899; Package base-passwd. (Mon, 17 May 2010 02:36:13 GMT) Full text and rfc822 format available.

Acknowledgement sent to Aaron Toponce <aaron.toponce@gmail.com>:
New Bug report received and forwarded. Copy sent to Colin Watson <cjwatson@debian.org>. (Mon, 17 May 2010 02:36:14 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Aaron Toponce <aaron.toponce@gmail.com>
To: submit@bugs.debian.org
Subject: Default login shell for $UID 1-99 should be /usr/sbin/nologin
Date: Sun, 16 May 2010 20:34:27 -0600
[Message part 1 (text/plain, inline)]
Package: base-passwd
Version: 3.5.22

System users with UID 1 through 99 should not have a default login shell
in /etc/passwd, as they are not interactive accounts. Even though the
password is disabled by default in /etc/shadow, it makes no sense to
have the login shell as /bin/sh.

The default login shell for these accounts should be /bin/false or
/usr/sbin/nologin. The root user, UID 0, of course, should have a login
shell.

For comparison, Fedora/RHEL and OpenBSD use /sbin/nologin and Mac OS X
uses /usr/bin/false.

I don't see the current implementation necessarily hurting anything, but
it doesn't make sense for an account that doesn't login to the system to
have an interactive login shell.

Making the default shell /usr/sbin/nologin or /bin/false should increase
the security of the system.

-- 
. O .   O . O   . . O   O . .   . O .
. . O   . O O   O . O   . O O   . . O
O O O   . O .   . O O   O O .   O O O

[signature.asc (application/pgp-signature, attachment)]

Forcibly Merged 274229 330882 581899. Request was from Colin Watson <cjwatson@debian.org> to control@bugs.debian.org. (Mon, 17 May 2010 10:51:03 GMT) Full text and rfc822 format available.

Added tag(s) security. Request was from Piotr Engelking <inkerman42@gmail.com> to control@bugs.debian.org. (Sat, 07 May 2011 20:21:03 GMT) Full text and rfc822 format available.

Severity set to 'normal' from 'wishlist' Request was from Nathanael Nerode <neroden@fastmail.fm> to control@bugs.debian.org. (Sun, 08 Jul 2012 16:48:05 GMT) Full text and rfc822 format available.

Added tag(s) patch. Request was from Nathanael Nerode <neroden@fastmail.fm> to control@bugs.debian.org. (Sun, 08 Jul 2012 16:48:06 GMT) Full text and rfc822 format available.

Added blocking bug(s) of 581899: 184979 Request was from Colin Watson <cjwatson@debian.org> to control@bugs.debian.org. (Fri, 01 Nov 2013 18:06:16 GMT) Full text and rfc822 format available.

Message #16 received at 274229-close@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: 274229-close@bugs.debian.org
Subject: Bug#274229: fixed in base-passwd 3.5.30
Date: Tue, 07 Jan 2014 16:03:29 +0000
Source: base-passwd
Source-Version: 3.5.30

We believe that the bug you reported is fixed in the latest version of
base-passwd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 274229@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated base-passwd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 07 Jan 2014 15:41:06 +0000
Source: base-passwd
Binary: base-passwd
Architecture: source i386
Version: 3.5.30
Distribution: unstable
Urgency: medium
Maintainer: Colin Watson <cjwatson@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 base-passwd - Debian base system master password and group files
Closes: 184979 274229
Changes: 
 base-passwd (3.5.30) unstable; urgency=medium
 .
   [ Colin Watson ]
   * Remove config.h.in and configure, now autogenerated by dh-autoreconf.
   * Change the shell of all global static users other than root (which
     retains /bin/sh) and sync (as /bin/sync is rather harmless) to
     /usr/sbin/nologin (closes: #274229; LP: #216813, #248844).
   * Policy version 3.9.5.
 .
   [ Russ Allbery ]
   * Add support for debconf prompting to update-passwd (closes: #184979).
Checksums-Sha1: 
 fbd250a511e09d67ebbfd857b272295b3b9a9c9b 1749 base-passwd_3.5.30.dsc
 b2e529b5e93829da0e3bb1a75d45fc51886c3f0b 52854 base-passwd_3.5.30.tar.gz
 1c18efc68a80afef0fb1a9fdc2c6872a2a57734c 51238 base-passwd_3.5.30_i386.deb
Checksums-Sha256: 
 60398ff42268797fd71b09cbcc8562eed5b04038283d844d500c0242fcfc9b7b 1749 base-passwd_3.5.30.dsc
 b3d23e773bfb7bd3fca4c92e711d2de7aaaea975db1433a09315ddca4371042f 52854 base-passwd_3.5.30.tar.gz
 4e5ddb9985f1e1432981b80a4419329ce7943fb953b4bdcba41ddabc127a18dc 51238 base-passwd_3.5.30_i386.deb
Files: 
 edb88d8ada16c12ca35423a56c0c5f9c 1749 admin required base-passwd_3.5.30.dsc
 b8d33533743267fa9bab7475798c9d50 52854 admin required base-passwd_3.5.30.tar.gz
 045e4f293054e1102d55a651055bdbce 51238 admin required base-passwd_3.5.30_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIVAwUBUswiMzk1h9l9hlALAQgV2hAAuuRZPxLvEL7jIFSFwfsk3lFEh7JMI0RW
Uc4Lysb5LA5/ARNEuEoNMmneG8QbgsivTVqMnGE838aEM7R9+686FZg15dwK5NVS
+wMNMzr9j0cC+aVcQBVx5jB6dkRIhPeK46+Aj0yafIZ57hhWbSPJ6rSPxzzCFAA0
tPJFrTOcjt39Fx7kk+j5M8UX4lC6izbuwdb5mr66QMkwqgE09Z6loloPiGhRYmC2
JwJNw/Ex/pkygEWZNz/Jd0EonuJSAvGQbntnTE9Z1fT7RZKgNGU7TiVW+M7RaqlM
UQ4Mq3oOBh6NjWbp4TNBKEzebQCvjL1sydX/PkIArlnrz6dotelC5Kuw1fZAbvbX
av51oVFSTY8TwhHrJ/2HZYtT2T+JjqEDv0TuNgYDs/Mh3W1NlJLKCdoxoFaDzyco
Axy/BJkzzLchp1UBJVISnoWJPDAytuW0CgefnPXN8rWajwMmtsedTuDgm4jxy6vS
EKnsDR0/z7uQEAwbgbcM2KfUtEh5ZI3TKjlTBw6Rn1Vj7dmFRjK6TOpFcNlTCN97
3hBDZClYDICz+A+mbBkXd9ojqwgMMfiMOq1v3Idst6afsJwUBjmS6LO6PVWFmQqH
0YS7rJOOBN4j1GZh9s62qS3S/KAFyvndLbf7OizBINEl48Za8DiOb0ISZeHISHka
4SZ1rSNwAaY=
=DvUj
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 18:15:30 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.