Bug 233738 - news user doesn't have default login shell
news user doesn't have default login shell
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: setup (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Phil Knirsch
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-03-24 07:51 EDT by Kwan Lowe
Modified: 2015-03-04 20:18 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-08 08:14:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kwan Lowe 2007-03-24 07:51:47 EDT
Description of problem:
I'm not certain if this is actual issue or not.  The default /etc/passwd file
does not have a default login program (e.g., /sbin/nologin) as do the other
daemon processes.  As a consequence, I can su to news but not the others. Again
not sure if it's an issue or done by necessity (jut being paranoid).

halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin

Version-Release number of selected component (if applicable):
setup-2.6.1.1-1.fc6

How reproducible:
Install base system the look at /etc/passwd.

Steps to Reproduce:
1.Install setup package
2.su to news user 
3.
  
Actual results:
root can su to news account

Expected results:
su'ing to news should return "account not accessible" as the other daemon users.


Additional info:
Comment 1 Josh Bressers 2007-04-10 15:16:55 EDT
This behavior exists because of bug 48701.

I suspect this should really be considered an inn bug, but I'm hesitant to call
it a security issue.  The lack of a login shell by itself poses no threat as the
account has no password.  It should be noted though, that another flaw could
potentially allow access to the news user.
Comment 2 Kwan Lowe 2007-04-10 15:28:19 EDT
Is it possible then to move the news user (and maybe some of the other legacy
accounts) from the base setup package and add it only as part of the inn
package? I.e. put in the useradd in the inn specfile versus the default passwd
file that's included on all installs? 
Comment 3 Bill Nottingham 2007-04-10 15:41:56 EDT
Well, that wouldn't fix upgrades. Moreover, not sure how just moving the same
entry (which has access to basically nothing in a default install) really
'fixes' anything.
Comment 4 Kwan Lowe 2007-04-10 16:05:00 EDT
I agree completely with you in that it doesn't *fix* anything, except that the
account will only be there once innd is installed. I can't think of a way to
exploit it (you'd need to be root anyway), except maybe to hide some sort of
backdoor account. 

I'm seeing it more in terms of our security audits where I have to go back and
delete these legacy accounts anyway. Plus, I could see where someone runs an
OpenLDAP migrate_passwd script and pulls in all these legacy accounts to an LDAP
server. Not sure how a Linux LDAP client would react to an shell-less account,
but other systems (e.g., AIX) may use a default shell such as korn. 

Anyhoo, if it's closed as is I won't complain. It may be better suited as a
wishlist item than a bug.
Comment 5 Phil Knirsch 2007-05-23 10:21:23 EDT
I'll move this over the the inn component, maybe the inn maintainer has an idea
what we can do here reasonably?

Read ya, Phil
Comment 6 Lubomir Kundrak 2008-04-08 07:08:09 EDT
This is not a security issue, however the user should have nologin shell for the
sake of good habits. Reassigning the bug to current maintainer.
Comment 7 Ondrej Vasik 2008-04-08 07:51:53 EDT
#48701 issue seems to be not occuring with current inn, another bugzilla with
that issue is RHEL4 #229472. 

The only issue I found in the quick check for #229472 was in man pages - as some
recommends using e.g. "su -m news -c /etc/rc.news start" which will not work
with nologin shell. Anyway it seems to have no influence on starting innd and is
easy workaround for it ... to use "su -m news --shell=/bin/sh -c /etc/rc.news
start". Anyway, maybe some manpages/hints changes in inn should be done and
mention this after the /sbin/nologin shell addition for news.

This change should not be done by inn package, should be done in setup package,
therefore reassigning component and adding myself to cc. Anyway I would suggest
to do that change only in RAWHIDE and not in "shipped" and stable Fedora
distribution.
Comment 8 Phil Knirsch 2008-04-08 08:14:46 EDT
Ok, the latest setup version now added the /sbin/nologin for news as well, so if
you could add a manpage change/hint to inn on how to properly use it that would
be great.

Thanks,

Read ya, Phil

Note You need to log in before you can comment on or make changes to this bug.