What to do about nologin(8)?
David Schultz
das at FreeBSD.ORG
Tue Feb 24 14:37:25 PST 2004
On Mon, Feb 23, 2004, Colin Percival wrote:
> I can see a number of possible options; I'd like to hear
> opinions on which would be the best.
This is the third time this issue has been discussed, so before
the same arguments are rehashed, I'd like to lay out a simple plan
that I think people are unlikely to object to. (If anyone *does*
object, please say so.)
(1) Fix login(1) so that it disables the -p option when the target
user's shell is not in /etc/shells (unless the invoking user
is root), and
(2) Make nologin(8) setgid nobody, so rtld ignores LD_LIBRARY_PATH.
After that, people are welcome to debate whether to make nologin
dynamically linked again (which should be safe), whether to move
it to /usr/sbin (which sounds reasonable, but won't matter as much
anymore), and whatnot. I just don't want to (once again) get into
a big debate that ends up getting derailed so that nobody gets
anything done.
P.S. Both of these ideas are due to Tim Kientzle.
More information about the freebsd-current
mailing list