Bug 53963

Summary: RFE: Add a safe nologon shell to /etc/shells
Product: [Retired] Red Hat Linux Reporter: R P Herrold <herrold>
Component: setupAssignee: Bill Nottingham <notting>
Status: CLOSED CURRENTRELEASE QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: mishu, nalin, notting, rvokal
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-09-23 05:42:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description R P Herrold 2001-09-24 15:37:54 UTC 
Please add a SAFE no-login type shell to the base /etc/shells -- safe in
the sense that it is immune from the Shell variable pre-load attack.  It
needs to be here, so that 'chsh' and other tools will allow its use without
manual edit of /etc/passwd

Nalin suggested /sbin/nologin on testers-list, but unlike all the other
'default' shells, this is not in /bin ...

Doesn't bother me, but ...
Comment 1 Bill Nottingham 2001-09-24 16:06:13 UTC 
One already exists. It's in /etc/shells.
Comment 2 Bill Nottingham 2001-09-24 16:06:46 UTC 
Oops, it's *not* in /etc/shells.
Comment 3 Bill Nottingham 2001-09-24 16:07:15 UTC 
Reassigning.
Comment 4 Elliot Lee 2002-01-04 18:45:57 UTC 
Someone who knows how the 'setup' package is maintained should add /sbin/nologin
to the default /etc/shells

This is, of course, assuming that /sbin/nologin is intended for this purpose.
(We have been shipping it already, and I am just wondering if it is being used
for purposes where its addition to /etc/shells would cause a security hole...)
Comment 5 Bill Nottingham 2002-03-11 06:02:06 UTC 
fixed in 2.5.8-1.
Comment 6 Jonathan Kamens 2002-03-31 23:06:34 UTC 
I am very concerned with the security implications of this change.  I don't know
if this is still true in a standard Red Hat installation, but for a very long
time on a very large number of Unix variants, the contents of /etc/shells have
been used to determine whether someone could FTP into a particular account. 
I.e., inbound FTP connections would be disallowed for users with shells not
listed in /etc/shells.  Because of this, /sbin/nologin was intentionally *not*
listed in /etc/shells, to prevent people with that shell from being able to FTP
into their accounts.

By adding it, have you circumvented that intentional security design?

I have reopened this bug to ensure that this issue has been considered.  If it
has been and I'm off the mark, please reclose the bug.
Comment 7 Bill Nottingham 2004-09-23 05:42:35 UTC 
At this point, I'm comfortable with this change. (Yeah, I know, bad
answer, but it's been two years, and it hasn't been a problem to this
point.)