(this is probably an RFE for rpmlint) On an everything beta2 install, the following system accounts do not use /sbin/nologin as their login shell: [kaboom@urd kaboom]$ grep -v "/sbin/nologin" /etc/passwd | grep -v kaboom root:x:0:0:root:/root:/bin/bash sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt news:x:9:13:news:/etc/news: rpm:x:37:37::/var/lib/rpm:/bin/bash wnn:x:49:49:Wnn System Account:/home/wnn:/bin/bash amanda:x:33:6:Amanda user:/var/lib/amanda:/bin/bash pvm:x:24:24::/usr/share/pvm3:/bin/bash mailman:x:41:41:GNU Mailing List Manager:/var/mailman:/bin/false squid:x:23:23::/var/spool/squid:/dev/null ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash privoxy:x:73:73::/etc/privoxy: radvd:x:75:75:radvd user:/:/bin/false canna:x:39:39:Canna Service User:/var/lib/canna:/bin/false [kaboom@urd kaboom]$ Of these, many correctly need executable login shells (halt, root, shutdown, sync, rpm, postgres, mysql, news). However, 10 of these either have an incorrect shell, no shell, or are accounts for applications I'm not familiar enough w/ to know if they need shells or not: wnn might or might not need a shell: Bug 80167 amanda might or might not need a shell: Bug 80168 pvm might or might not need a shell: Bug 80169 mailman has an incorrect shell: Bug 80170 squid might have an incorrect shell: Bug 80171 openldap has an incorrect shell: Bug 80172 netdump might or might not need a shell: Bug 80173 privoxy might or might not need a shell, but has none: Bug 80174 cann has an incorrect shell: Bug 80175 radvd has an incorrect shell: Bug 68372 Some of these probably aren't actually bugs (pvm and amanda I can conceive of needing a login shell, for example, but are applications I simply don't use enough to be sure), but many of them are clearly wrong. These errors are systematic -- 10 of them! Furthermore, these happen with every release -- I've filed these same sorts of bug reports in past beta cycles. Some of these bugs have even been fixed in the past, and are now broken again (Bug 68372 for radvd, for example). All of this argues that some sort of sanity checking of system accounts added by rpm is needed in the build cycle. As an outsider not totally familiar with the distribution building process / software used by RH, the obvious place to add this is rpmlint. It seems to me that rpmlint should flag all useradd / usermod operations creating system accounts with shells other than /sbin/nologin. Obviously, rpmlint also needs a whitelist of system accounts which do require a login shell and their correct shell. Such an enhancement would prevent these sorts of systematic rpm creation errors, increasing the default security of the final RHL product
There is *some* work on some different automated checking tools going on. Closing for now.