Bug 52989 - lots of incorrect shells in /etc/passwd
Summary: lots of incorrect shells in /etc/passwd
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: setup   
(Show other bugs)
Version: 7.3
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: David Lawrence
Depends On:
TreeView+ depends on / blocked
Reported: 2001-09-01 02:29 UTC by Chris Ricker
Modified: 2014-03-17 02:23 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-09-04 13:58:45 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Chris Ricker 2001-09-01 02:29:09 UTC
The shipped /etc/passwd has the following problems:

news doesn't have a shell at all; it should use /sbin/nologin

ntp has a shell of /bin/nologin, which doesn't exist; this should be

apache, rpc, and xfs have /bin/false for a shell; they should also use

The corresponding shipped /etc/shadow file uses a mix of "*" and "!!" in
place of encrypted password strings for accounts which can't be logged
into.  It'd make a lot more sense to pick one or the other and then
consistently use it.

Comment 1 Bill Nottingham 2001-09-03 03:46:45 UTC
news with /sbin/nologin breaks.

Comment 2 Bill Nottingham 2001-09-03 03:47:28 UTC
Please file apache, ntp, xfs, rpc against the associated packages that create
the entries in their %pre scripts - thanks!

Comment 3 Bill Nottingham 2001-09-03 03:48:07 UTC
Also, we don't ship an /etc/shadow file.

Comment 4 Chris Ricker 2001-09-03 13:44:18 UTC
Well, news should have *something* as a shell.  I'll file that one as well.

Comment 5 Chris Ricker 2001-09-03 13:45:28 UTC
I realize shadow is generated, not shipped.  That's what makes it even stupider
that you generate some entries with !! and others with *.  What should I file
that one against?

Comment 6 Chris Ricker 2001-09-03 13:59:45 UTC
Upon further inspection, the news entry in my passwd file appears to be from the
default passwd file shipped by RH; I don't have INN or anything like that
installed which should have created it.

Comment 7 Bill Nottingham 2001-09-03 15:54:41 UTC
For the shadow thing, shadow-utils, since it contains pwconv/pwunconv. What it
look s like, though, is that pwconv puts in a '*', while adduser/useradd later
puts in '!!'.

news having no shell is equivalent to shell == /bin/sh. Since that is what it
would  be set to anyways, this is not a security bug.

Comment 8 Chris Ricker 2001-09-04 13:58:39 UTC
Wouldn't the correct behavior for news to be for it to use /sbin/nologin for a
shell by default, and only to change that on the < 1% of systems which actually
need it to be /bin/sh because they're running a news server?

Comment 9 Bill Nottingham 2002-03-11 06:00:49 UTC
That seems to be excessive complication.

Note You need to log in before you can comment on or make changes to this bug.