Date: Thu, 18 Jul 2019 11:31:35 +0000 (UTC) From: Sergey Kandaurov <pluknet@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r53262 - in head/en_US.ISO8859-1/books/handbook: network-servers security Message-ID: <201907181131.x6IBVZSB069087@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: pluknet Date: Thu Jul 18 11:31:35 2019 New Revision: 53262 URL: https://svnweb.freebsd.org/changeset/doc/53262 Log: Consistent use of /usr/sbin/nologin. PR: 239121 Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Wed Jul 17 07:12:10 2019 (r53261) +++ head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Thu Jul 18 11:31:35 2019 (r53262) @@ -1802,19 +1802,19 @@ nis_client_enable="YES"</programlisting> <screen>basie&prompt.root; <userinput>cat /etc/master.passwd</userinput> root:[password]:0:0::0:0:The super-user:/root:/bin/csh toor:[password]:0:0::0:0:The other super-user:/root:/bin/sh -daemon:*:1:1::0:0:Owner of many system processes:/root:/sbin/nologin -operator:*:2:5::0:0:System &:/:/sbin/nologin -bin:*:3:7::0:0:Binaries Commands and Source,,,:/:/sbin/nologin -tty:*:4:65533::0:0:Tty Sandbox:/:/sbin/nologin -kmem:*:5:65533::0:0:KMem Sandbox:/:/sbin/nologin -games:*:7:13::0:0:Games pseudo-user:/usr/games:/sbin/nologin -news:*:8:8::0:0:News Subsystem:/:/sbin/nologin -man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/sbin/nologin -bind:*:53:53::0:0:Bind Sandbox:/:/sbin/nologin +daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin +operator:*:2:5::0:0:System &:/:/usr/sbin/nologin +bin:*:3:7::0:0:Binaries Commands and Source,,,:/:/usr/sbin/nologin +tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin +kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin +games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin +news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin +man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin +bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico -xten:*:67:67::0:0:X-10 daemon:/usr/local/xten:/sbin/nologin -pop:*:68:6::0:0:Post Office Owner:/nonexistent:/sbin/nologin -nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/sbin/nologin +xten:*:67:67::0:0:X-10 daemon:/usr/local/xten:/usr/sbin/nologin +pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin +nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin -bill::::::::: +::::::::: @@ -2075,18 +2075,18 @@ ellington&prompt.user; <userinput>ypcat -k netgroup.by user entries without allowing them to login into the servers. This can be achieved by adding an extra line:</para> - <programlisting>+:::::::::/sbin/nologin</programlisting> + <programlisting>+:::::::::/usr/sbin/nologin</programlisting> <para>This line configures the client to import all entries but to replace the shell in those entries with - <filename>/sbin/nologin</filename>.</para> + <filename>/usr/sbin/nologin</filename>.</para> <!-- Been there, done that, got the scars to prove it - ue --> <para>Make sure that extra line is placed <emphasis>after</emphasis> <literal>+@IT_EMP:::::::::</literal>. Otherwise, all user accounts imported from <acronym>NIS</acronym> will have - <filename>/sbin/nologin</filename> as their login + <filename>/usr/sbin/nologin</filename> as their login shell and no one will be able to login to the system.</para> <para>To configure the less important servers, replace the old @@ -2095,14 +2095,14 @@ ellington&prompt.user; <userinput>ypcat -k netgroup.by <programlisting>+@IT_EMP::::::::: +@IT_APP::::::::: -+:::::::::/sbin/nologin</programlisting> ++:::::::::/usr/sbin/nologin</programlisting> <para>The corresponding lines for the workstations would be:</para> <programlisting>+@IT_EMP::::::::: +@USERS::::::::: -+:::::::::/sbin/nologin</programlisting> ++:::::::::/usr/sbin/nologin</programlisting> <para>NIS supports the creation of netgroups from other netgroups which can be useful if the policy regarding user @@ -2134,12 +2134,12 @@ USERBOX IT_EMP ITINTERN USERS</programlisting> system contains two lines starting with <quote>+</quote>. The first line adds a netgroup with the accounts allowed to login onto this machine and the second line adds all other - accounts with <filename>/sbin/nologin</filename> as shell. It - is recommended to use the <quote>ALL-CAPS</quote> version of - the hostname as the name of the netgroup:</para> + accounts with <filename>/usr/sbin/nologin</filename> as shell. + It is recommended to use the <quote>ALL-CAPS</quote> version + of the hostname as the name of the netgroup:</para> <programlisting>+@<replaceable>BOXNAME</replaceable>::::::::: -+:::::::::/sbin/nologin</programlisting> ++:::::::::/usr/sbin/nologin</programlisting> <para>Once this task is completed on all the machines, there is no longer a need to modify the local versions of Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Wed Jul 17 07:12:10 2019 (r53261) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Thu Jul 18 11:31:35 2019 (r53262) @@ -191,7 +191,7 @@ <screen>&prompt.root; <userinput>pw lock <replaceable>toor</replaceable></userinput></screen> <para>The second method is to prevent login access by changing - the shell to <filename>/sbin/nologin</filename>. Only the + the shell to <filename>/usr/sbin/nologin</filename>. Only the superuser can change the shell for other users:</para> <screen>&prompt.root; <userinput>chsh -s /usr/sbin/nologin <replaceable>toor</replaceable></userinput></screen>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201907181131.x6IBVZSB069087>