The shipped /etc/passwd has the following problems: news doesn't have a shell at all; it should use /sbin/nologin ntp has a shell of /bin/nologin, which doesn't exist; this should be /sbin/nologin apache, rpc, and xfs have /bin/false for a shell; they should also use /sbin/nologin The corresponding shipped /etc/shadow file uses a mix of "*" and "!!" in place of encrypted password strings for accounts which can't be logged into. It'd make a lot more sense to pick one or the other and then consistently use it.
news with /sbin/nologin breaks.
Please file apache, ntp, xfs, rpc against the associated packages that create the entries in their %pre scripts - thanks!
Also, we don't ship an /etc/shadow file.
Well, news should have *something* as a shell. I'll file that one as well.
I realize shadow is generated, not shipped. That's what makes it even stupider that you generate some entries with !! and others with *. What should I file that one against?
Upon further inspection, the news entry in my passwd file appears to be from the default passwd file shipped by RH; I don't have INN or anything like that installed which should have created it.
For the shadow thing, shadow-utils, since it contains pwconv/pwunconv. What it look s like, though, is that pwconv puts in a '*', while adduser/useradd later puts in '!!'. news having no shell is equivalent to shell == /bin/sh. Since that is what it would be set to anyways, this is not a security bug.
Wouldn't the correct behavior for news to be for it to use /sbin/nologin for a shell by default, and only to change that on the < 1% of systems which actually need it to be /bin/sh because they're running a news server?
That seems to be excessive complication.