Bug 80176 - Build process RFE: lack of login shell sanity-checking for system accounts
Build process RFE: lack of login shell sanity-checking for system accounts
Product: Red Hat Linux
Classification: Retired
Component: distribution (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
Brock Organ
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2002-12-21 02:32 EST by Chris Ricker
Modified: 2014-03-16 22:33 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-03-02 13:42:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Chris Ricker 2002-12-21 02:32:36 EST
(this is probably an RFE for rpmlint)

On an everything beta2 install, the following system accounts do not use
/sbin/nologin as their login shell:

[kaboom@urd kaboom]$ grep -v "/sbin/nologin" /etc/passwd | grep -v kaboom
wnn:x:49:49:Wnn System Account:/home/wnn:/bin/bash
amanda:x:33:6:Amanda user:/var/lib/amanda:/bin/bash
mailman:x:41:41:GNU Mailing List Manager:/var/mailman:/bin/false
ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
radvd:x:75:75:radvd user:/:/bin/false
canna:x:39:39:Canna Service User:/var/lib/canna:/bin/false
[kaboom@urd kaboom]$ 

Of these, many correctly need executable login shells (halt, root, shutdown,
sync, rpm, postgres, mysql, news).

However, 10 of these either have an incorrect shell, no shell, or are accounts
for applications I'm not familiar enough w/ to know if they need shells or not:

wnn might or might not need a shell: Bug 80167
amanda might or might not need a shell: Bug 80168
pvm might or might not need a shell: Bug 80169
mailman has an incorrect shell: Bug 80170
squid might have an incorrect shell: Bug 80171
openldap has an incorrect shell: Bug 80172
netdump might or might not need a shell: Bug 80173
privoxy might or might not need a shell, but has none: Bug 80174
cann has an incorrect shell: Bug 80175
radvd has an incorrect shell: Bug 68372

Some of these probably aren't actually bugs (pvm and amanda I can conceive of
needing a login shell, for example, but are applications I simply don't use
enough to be sure), but many of them are clearly wrong.

These errors are systematic -- 10 of them! Furthermore, these happen with every
release -- I've filed these same sorts of bug reports in past beta cycles. Some
of these bugs have even been fixed in the past, and are now broken again (Bug
68372 for radvd, for example).

All of this argues that some sort of sanity checking of system accounts added by
rpm is needed in the build cycle. As an outsider not totally familiar with the
distribution building process / software used by RH, the obvious place to add
this is rpmlint. 

It seems to me that rpmlint should flag all useradd / usermod operations
creating system accounts with shells other than /sbin/nologin. Obviously,
rpmlint also needs a whitelist of system accounts which do require a login shell
and their correct shell. Such an enhancement would prevent these sorts of
systematic rpm creation errors, increasing the default security of the final RHL
Comment 1 Bill Nottingham 2005-03-02 13:42:03 EST
There is *some* work on some different automated checking tools going
on. Closing for now.

Note You need to log in before you can comment on or make changes to this bug.