(this is probably an RFE for rpmlint)
On an everything beta2 install, the following system accounts do not use
/sbin/nologin as their login shell:
[kaboom@urd kaboom]$ grep -v "/sbin/nologin" /etc/passwd | grep -v kaboom
wnn:x:49:49:Wnn System Account:/home/wnn:/bin/bash
mailman:x:41:41:GNU Mailing List Manager:/var/mailman:/bin/false
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
canna:x:39:39:Canna Service User:/var/lib/canna:/bin/false
Of these, many correctly need executable login shells (halt, root, shutdown,
sync, rpm, postgres, mysql, news).
However, 10 of these either have an incorrect shell, no shell, or are accounts
for applications I'm not familiar enough w/ to know if they need shells or not:
wnn might or might not need a shell: Bug 80167
amanda might or might not need a shell: Bug 80168
pvm might or might not need a shell: Bug 80169
mailman has an incorrect shell: Bug 80170
squid might have an incorrect shell: Bug 80171
openldap has an incorrect shell: Bug 80172
netdump might or might not need a shell: Bug 80173
privoxy might or might not need a shell, but has none: Bug 80174
cann has an incorrect shell: Bug 80175
radvd has an incorrect shell: Bug 68372
Some of these probably aren't actually bugs (pvm and amanda I can conceive of
needing a login shell, for example, but are applications I simply don't use
enough to be sure), but many of them are clearly wrong.
These errors are systematic -- 10 of them! Furthermore, these happen with every
release -- I've filed these same sorts of bug reports in past beta cycles. Some
of these bugs have even been fixed in the past, and are now broken again (Bug
68372 for radvd, for example).
All of this argues that some sort of sanity checking of system accounts added by
rpm is needed in the build cycle. As an outsider not totally familiar with the
distribution building process / software used by RH, the obvious place to add
this is rpmlint.
It seems to me that rpmlint should flag all useradd / usermod operations
creating system accounts with shells other than /sbin/nologin. Obviously,
rpmlint also needs a whitelist of system accounts which do require a login shell
and their correct shell. Such an enhancement would prevent these sorts of
systematic rpm creation errors, increasing the default security of the final RHL
There is *some* work on some different automated checking tools going
on. Closing for now.