The shipped /etc/passwd has the following problems:
news doesn't have a shell at all; it should use /sbin/nologin
ntp has a shell of /bin/nologin, which doesn't exist; this should be
apache, rpc, and xfs have /bin/false for a shell; they should also use
The corresponding shipped /etc/shadow file uses a mix of "*" and "!!" in
place of encrypted password strings for accounts which can't be logged
into. It'd make a lot more sense to pick one or the other and then
consistently use it.
news with /sbin/nologin breaks.
Please file apache, ntp, xfs, rpc against the associated packages that create
the entries in their %pre scripts - thanks!
Also, we don't ship an /etc/shadow file.
Well, news should have *something* as a shell. I'll file that one as well.
I realize shadow is generated, not shipped. That's what makes it even stupider
that you generate some entries with !! and others with *. What should I file
that one against?
Upon further inspection, the news entry in my passwd file appears to be from the
default passwd file shipped by RH; I don't have INN or anything like that
installed which should have created it.
For the shadow thing, shadow-utils, since it contains pwconv/pwunconv. What it
look s like, though, is that pwconv puts in a '*', while adduser/useradd later
puts in '!!'.
news having no shell is equivalent to shell == /bin/sh. Since that is what it
would be set to anyways, this is not a security bug.
Wouldn't the correct behavior for news to be for it to use /sbin/nologin for a
shell by default, and only to change that on the < 1% of systems which actually
need it to be /bin/sh because they're running a news server?
That seems to be excessive complication.