Bug 80176

Summary: Build process RFE: lack of login shell sanity-checking for system accounts
Product: [Retired] Red Hat Linux Reporter: Chris Ricker <chris.ricker>
Component: distributionAssignee: Bill Nottingham <notting>
Status: CLOSED DEFERRED QA Contact: Brock Organ <borgan>
Severity: medium Docs Contact:
Priority: medium    
Version: 9CC: rvokal
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-03-02 18:42:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Chris Ricker 2002-12-21 07:32:36 UTC
(this is probably an RFE for rpmlint)

On an everything beta2 install, the following system accounts do not use
/sbin/nologin as their login shell:

[kaboom@urd kaboom]$ grep -v "/sbin/nologin" /etc/passwd | grep -v kaboom
wnn:x:49:49:Wnn System Account:/home/wnn:/bin/bash
amanda:x:33:6:Amanda user:/var/lib/amanda:/bin/bash
mailman:x:41:41:GNU Mailing List Manager:/var/mailman:/bin/false
ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
radvd:x:75:75:radvd user:/:/bin/false
canna:x:39:39:Canna Service User:/var/lib/canna:/bin/false
[kaboom@urd kaboom]$ 

Of these, many correctly need executable login shells (halt, root, shutdown,
sync, rpm, postgres, mysql, news).

However, 10 of these either have an incorrect shell, no shell, or are accounts
for applications I'm not familiar enough w/ to know if they need shells or not:

wnn might or might not need a shell: Bug 80167
amanda might or might not need a shell: Bug 80168
pvm might or might not need a shell: Bug 80169
mailman has an incorrect shell: Bug 80170
squid might have an incorrect shell: Bug 80171
openldap has an incorrect shell: Bug 80172
netdump might or might not need a shell: Bug 80173
privoxy might or might not need a shell, but has none: Bug 80174
cann has an incorrect shell: Bug 80175
radvd has an incorrect shell: Bug 68372

Some of these probably aren't actually bugs (pvm and amanda I can conceive of
needing a login shell, for example, but are applications I simply don't use
enough to be sure), but many of them are clearly wrong.

These errors are systematic -- 10 of them! Furthermore, these happen with every
release -- I've filed these same sorts of bug reports in past beta cycles. Some
of these bugs have even been fixed in the past, and are now broken again (Bug
68372 for radvd, for example).

All of this argues that some sort of sanity checking of system accounts added by
rpm is needed in the build cycle. As an outsider not totally familiar with the
distribution building process / software used by RH, the obvious place to add
this is rpmlint. 

It seems to me that rpmlint should flag all useradd / usermod operations
creating system accounts with shells other than /sbin/nologin. Obviously,
rpmlint also needs a whitelist of system accounts which do require a login shell
and their correct shell. Such an enhancement would prevent these sorts of
systematic rpm creation errors, increasing the default security of the final RHL

Comment 1 Bill Nottingham 2005-03-02 18:42:03 UTC
There is *some* work on some different automated checking tools going
on. Closing for now.