Description of problem: I'm not certain if this is actual issue or not. The default /etc/passwd file does not have a default login program (e.g., /sbin/nologin) as do the other daemon processes. As a consequence, I can su to news but not the others. Again not sure if it's an issue or done by necessity (jut being paranoid). halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin Version-Release number of selected component (if applicable): setup-2.6.1.1-1.fc6 How reproducible: Install base system the look at /etc/passwd. Steps to Reproduce: 1.Install setup package 2.su to news user 3. Actual results: root can su to news account Expected results: su'ing to news should return "account not accessible" as the other daemon users. Additional info:
This behavior exists because of bug 48701. I suspect this should really be considered an inn bug, but I'm hesitant to call it a security issue. The lack of a login shell by itself poses no threat as the account has no password. It should be noted though, that another flaw could potentially allow access to the news user.
Is it possible then to move the news user (and maybe some of the other legacy accounts) from the base setup package and add it only as part of the inn package? I.e. put in the useradd in the inn specfile versus the default passwd file that's included on all installs?
Well, that wouldn't fix upgrades. Moreover, not sure how just moving the same entry (which has access to basically nothing in a default install) really 'fixes' anything.
I agree completely with you in that it doesn't *fix* anything, except that the account will only be there once innd is installed. I can't think of a way to exploit it (you'd need to be root anyway), except maybe to hide some sort of backdoor account. I'm seeing it more in terms of our security audits where I have to go back and delete these legacy accounts anyway. Plus, I could see where someone runs an OpenLDAP migrate_passwd script and pulls in all these legacy accounts to an LDAP server. Not sure how a Linux LDAP client would react to an shell-less account, but other systems (e.g., AIX) may use a default shell such as korn. Anyhoo, if it's closed as is I won't complain. It may be better suited as a wishlist item than a bug.
I'll move this over the the inn component, maybe the inn maintainer has an idea what we can do here reasonably? Read ya, Phil
This is not a security issue, however the user should have nologin shell for the sake of good habits. Reassigning the bug to current maintainer.
#48701 issue seems to be not occuring with current inn, another bugzilla with that issue is RHEL4 #229472. The only issue I found in the quick check for #229472 was in man pages - as some recommends using e.g. "su -m news -c /etc/rc.news start" which will not work with nologin shell. Anyway it seems to have no influence on starting innd and is easy workaround for it ... to use "su -m news --shell=/bin/sh -c /etc/rc.news start". Anyway, maybe some manpages/hints changes in inn should be done and mention this after the /sbin/nologin shell addition for news. This change should not be done by inn package, should be done in setup package, therefore reassigning component and adding myself to cc. Anyway I would suggest to do that change only in RAWHIDE and not in "shipped" and stable Fedora distribution.
Ok, the latest setup version now added the /sbin/nologin for news as well, so if you could add a manpage change/hint to inn on how to properly use it that would be great. Thanks, Read ya, Phil