Red Hat Bugzilla – Bug 233738
news user doesn't have default login shell
Last modified: 2015-03-04 20:18:30 EST
Description of problem:
I'm not certain if this is actual issue or not. The default /etc/passwd file
does not have a default login program (e.g., /sbin/nologin) as do the other
daemon processes. As a consequence, I can su to news but not the others. Again
not sure if it's an issue or done by necessity (jut being paranoid).
Version-Release number of selected component (if applicable):
Install base system the look at /etc/passwd.
Steps to Reproduce:
1.Install setup package
2.su to news user
root can su to news account
su'ing to news should return "account not accessible" as the other daemon users.
This behavior exists because of bug 48701.
I suspect this should really be considered an inn bug, but I'm hesitant to call
it a security issue. The lack of a login shell by itself poses no threat as the
account has no password. It should be noted though, that another flaw could
potentially allow access to the news user.
Is it possible then to move the news user (and maybe some of the other legacy
accounts) from the base setup package and add it only as part of the inn
package? I.e. put in the useradd in the inn specfile versus the default passwd
file that's included on all installs?
Well, that wouldn't fix upgrades. Moreover, not sure how just moving the same
entry (which has access to basically nothing in a default install) really
I agree completely with you in that it doesn't *fix* anything, except that the
account will only be there once innd is installed. I can't think of a way to
exploit it (you'd need to be root anyway), except maybe to hide some sort of
I'm seeing it more in terms of our security audits where I have to go back and
delete these legacy accounts anyway. Plus, I could see where someone runs an
OpenLDAP migrate_passwd script and pulls in all these legacy accounts to an LDAP
server. Not sure how a Linux LDAP client would react to an shell-less account,
but other systems (e.g., AIX) may use a default shell such as korn.
Anyhoo, if it's closed as is I won't complain. It may be better suited as a
wishlist item than a bug.
I'll move this over the the inn component, maybe the inn maintainer has an idea
what we can do here reasonably?
Read ya, Phil
This is not a security issue, however the user should have nologin shell for the
sake of good habits. Reassigning the bug to current maintainer.
#48701 issue seems to be not occuring with current inn, another bugzilla with
that issue is RHEL4 #229472.
The only issue I found in the quick check for #229472 was in man pages - as some
recommends using e.g. "su -m news -c /etc/rc.news start" which will not work
with nologin shell. Anyway it seems to have no influence on starting innd and is
easy workaround for it ... to use "su -m news --shell=/bin/sh -c /etc/rc.news
start". Anyway, maybe some manpages/hints changes in inn should be done and
mention this after the /sbin/nologin shell addition for news.
This change should not be done by inn package, should be done in setup package,
therefore reassigning component and adding myself to cc. Anyway I would suggest
to do that change only in RAWHIDE and not in "shipped" and stable Fedora
Ok, the latest setup version now added the /sbin/nologin for news as well, so if
you could add a manpage change/hint to inn on how to properly use it that would
Read ya, Phil