Date: Wed, 05 Jul 2006 06:30:59 -0700 From: Colin Percival <cperciva@freebsd.org> To: "Jari Aalto+mail.linux" <jari.aalto@cante.net>, "login: please move nologin under /bin directory" <374525@bugs.debian.org> Cc: "exim4-daemon-heavy: Use /bin/nologin instead of /bin/false in /etc/passwd" <366546-maintonly@bugs.debian.org>, "pidentd: \[security\] use /bin/nologin instead of /bin/false in /etc/passwd" <366545-maintonly@bugs.debian.org>, Ceri Davies <ceri@freebsd.org>, mstone@debian.org, freebsd-arch@freebsd.org, "openssh-server: \[security\] use /bin/nologin instead of /bin/false" <366541-maintonly@bugs.debian.org>, anibal@debian.org Subject: Re: [Pkg-shadow-devel] Bug#374525: Bug#366546: Mail delivery failed: returning message to sender Message-ID: <44ABBF13.8030602@freebsd.org> In-Reply-To: <20060705054251.GF5220@djedefre.onera> References: <20060509153807.16297.97467.reportbug@cante> <E1FsDxt-0001DV-Nv@cante> <E1FsQpg-0002x9-8H@cante> <20060620050937.GB18750@djedefre.onera> <E1Fxpms-0003TT-T4@cante> <20060704192449.GC76109@submonkey.net> <20060705054251.GF5220@djedefre.onera>
next in thread | previous in thread | raw e-mail | index | archive | help
Christian Perrier wrote: > As a first reaction and as one of the shadow maintainer, I'm now > inclined to agree with the choice of the FreeBSD team here. > > The rationale is clear... > > I'd like to hear the one from OpenBSD to put nologin in /sbin > though.. they might have a different definition of what goes in /sbin FWIW, nologin was in /sbin in BSD 4.4; this is almost certainly why OpenBSD still has /sbin/nologin. I moved FreeBSD's nologin to /usr/sbin two years ago, because 1. nologin needs to be statically linked to avoid linker environment security issues, 2. logging attempts to log in to a nologinned account requires that syslog code be pulled in (which significantly increases the size of a statically linked binary), 3. we like to keep the root filesystem small, and 4. Since nologin is intended for use in multiuser mode, there's no reason for it to be on the root filesystem -- in single user mode, users who aren't supposed to be allowed to login will never get to the point of running a shell (nologin or otherwise). In short, under the BSD hierarchy rules, nologin should be in /usr/sbin; any systems behaving otherwise are doing so for historical reasons only. Colin Percival
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44ABBF13.8030602>