file /etc/passwd reads:

  Debian-exim:x:102:102::/var/spool/exim4:/bin/false

SUGGESTION

The new login package includes binary /bin/nologin which behaves the
as /bin/false, but helps with security auditions by leaving a trace
of login attempt to syslog.

Please chenge to use 'nologin' in place of 'false'

tags #366546 - security
thanks

This does not need to be on the security team's radar.

exim relies on adduser's default value, which still is /bin/false.

Additionally, I do not see the necessity of having transition code in
the maintainer scripts which might introduce additional breakage.

I'll need to think about this issue for a while.

Greetings
Marc

tags #366546 - security
thanks

This does not need to be on the security team's radar.

exim relies on adduser's default value, which still is /bin/false.

Additionally, I do not see the necessity of having transition code in
the maintainer scripts which might introduce additional breakage.

I'll need to think about this issue for a while.

Greetings
Marc

| > To Shadow list: please consider moving:
| >
| >   /usr/bin/nologin   -> /bin/nologin
| >
| > so that other packages could start using 'nologin' instead of current
| > /bin/false.
|
| This seems fair by me. I wonder whether this should deserve a
| transition or just move the binary....After all, nologin is not here
| since a long time so it's pretty unlikely that many packages use it
| (for instance to define it as some created users shell).
|
| I'm tempted to avoid a complicated transition. Advices?

I've CC'd packages where I've been advogating nologin in Debian. The
binary is not yet widely used, so just move it so that we can get full
potential of nologin to forthcoming etch.

| I think that this suggestion should go to upstream as well. Having
| nologin in /bin does not make sense only for Debian, of course.
|
| Tomasz?

Than would be FreeBSD devel list. I'm not sure which list, but I've
added CC to:

    freebsd-qa@freebsd.org

| Jari, I'm OK with you cloning this bug report and reassign a "please
| move nologin to /bin" bug to login.

created new one.

http://bugs.debian.org/374525

Thanks,
Jari

Agreed.

Tomasz (shadow upstream) mentioned me that nologin lies in /sbin in
OpenBSD so that he's tempted to default installing it there.

As already mentioned elsewhere, I have no strong opinion on this for
what to do in Debian and I'm ready to listen to suggestions and
various rationales....


CC'ing that specific bug.....and restricting the Reply-To field so
that we avoid CC'ing the whole world for this. People who want to be kept
informed about this, please request to be CC'ed specifically.

FreeBSD-arch@FreeBSD.org is better for "move x to y" type discussions.

We (FreeBSD) have only recently moved it from /sbin to /usr/sbin; see
http://marc.theaimsgroup.com/?l=freebsd-current&m=107755834602236&w=2
for the discussion we had, if it's of any use.

Ceri

| > > | I think that this suggestion should go to upstream as well. Having
| > > | nologin in /bin does not make sense only for Debian, of course.
| > > |
|
| FreeBSD-arch AT FreeBSD.org is better for "move x to y" type discussions.
|
| > Tomasz (shadow upstream) mentioned me that nologin lies in /sbin in
| > OpenBSD so that he's tempted to default installing it there.
| >
| > As already mentioned elsewhere, I have no strong opinion on this for
| > what to do in Debian and I'm ready to listen to suggestions and
| > various rationales....
|
| We (FreeBSD) have only recently moved it from /sbin to /usr/sbin; see
| http://marc.theaimsgroup.com/?l=freebsd-current&m=107755834602236&w=2
| for the discussion we had, if it's of any use.

Thanks for the URL.

About the /sbin comment 1: "Bloating of the root filesystem".
I don't see that to be problem here. I think it would be
better to keep things logically separate and resserver /usr
for other things.

About comment 3: There is no reason for nologin(8) to be in
/sbin, since it isn't needed in single-user mode", this has
weight.

However nologin is a system utility it would be better kept
directly under root directory, if /sbin is not ideal, then
it should go to /bin -- to same place as "login".

Jari

That's up to you; we don't consider it a system utility, that's all.

Our hier(7) is pretty clear, and we try to stick to it:

     /bin/      user utilities fundamental to both single-user and
		multi-user environments

     /sbin/     system programs and administration utilities fundamental
		to both single-user and multi-user environments

Since it isn't either of the above, it goes under /usr (in FreeBSD; you
are, of course, free to disagree).

Ceri

| On Tue, Jul 04, 2006 at 09:38:18PM +0300, Jari Aalto+mail.linux wrote:
|
| > However nologin is a system utility it would be better kept
| > directly under root directory, if /sbin is not ideal, then
| > it should go to /bin -- to same place as "login".
|
| That's up to you; we don't consider it a system utility, that's all.
|
| Our hier(7) is pretty clear, and we try to stick to it:
|
|      /bin/      user utilities fundamental to both single-user and
| 		multi-user environments

FHS 2.3 reads

    <http://www.pathname.com/fhs/pub/fhs-2.3.html#BINESSENTIALUSERCOMMANDBINARIES>
    /bin contains commands that may be used by both the system
    administrator and by users, but which are required
    when  no other filesystems are mounted (e.g. in single user mode).
          ============================================================

|      /sbin/     system programs and administration utilities fundamental
| 		to both single-user and multi-user environments

    <http://www.pathname.com/fhs/pub/fhs-2.3.html#SBINSYSTEMBINARIES>
   Utilities used for system administration (and other
   root-only commands) are stored in /sbin, /usr/sbin, and
   /usr/local/sbin. /sbin contains
   binaries  essential for booting, restoring, recovering, and/or
             ====================================================...
   repairing the system

| Since it isn't either of the above, it goes under /usr (in FreeBSD; you
| are, of course, free to disagree).

Thank you for explaining.

As Debian follows the FHS, the correct place here seems to be
/bin according to FHS. (as where "login" is also located)

Jari

inclined to agree with the choice of the FreeBSD team here.

The rationale is clear...

I'd like to hear the one from OpenBSD to put nologin in /sbin
though.. they might have a different definition of what goes in /sbin

However, others might have a different point of view in Debian and I'd
like to get all possible advices. I might even consider asking our
Technical Commitee after a discussion in debian-devel (which I don't
put much hope in based on past experience).

In short, let's take a deep breath and think about all this.

The standard we have to comply with in Debian is the FHS 2.3, from the
policy. It states:


/bin : Essential user command binaries (for use by all users)

/bin contains commands that may be used by both the system
administrator and by users, but which are required when no other
filesystems are mounted (e.g. in single user mode). It may also
contain commands which are used indirectly by scripts.

/sbin : System binaries

Utilities used for system administration (and other root-only
commands) are stored in /sbin, /usr/sbin, and /usr/local/sbin. /sbin
contains binaries essential for booting, restoring, recovering, and/or
repairing the system in addition to the binaries in /bin. [18]
Programs executed after /usr is known to be mounted (when there are no
problems) are generally placed into /usr/sbin. Locally-installed
system administration programs should be placed into
/usr/local/sbin. [19]

The question then shortens down to "will we need nologin when /usr is
not mounted". Do we have existing or future use cases?


PS: let's shorten down the CC list of these mails. My own point here is to
decide what to do in Debian so we might want to stop bothering FreeBSD
developers (which I took the opportunity to sy "hi" to....I have some
good old friends over there).

[snip]

Could you please explain how nologin is required in single user mode?

Mike Stone

| On Wed, Jul 05, 2006 at 08:52:28AM +0300, Jari Aalto+mail.linux wrote:
| >FHS 2.3 reads
| >
| >    <http://www.pathname.com/fhs/pub/fhs-2.3.html#BINESSENTIALUSERCOMMANDBINARIES>
| >    /bin contains commands that may be used by both the system
| >    administrator and by users, but which are required
| >    when  no other filesystems are mounted (e.g. in single user mode).
| >          ============================================================
| [snip]
| >As Debian follows the FHS, the correct place here seems to be
| >/bin according to FHS. (as where "login" is also located)
|
| Could you please explain how nologin is required in single user mode?

I was more reading the mounting part if nologin resided on /usr/bin

Jari

Ok, still please explain. A system that doesn't have /usr mounted isn't
a system in normal operation. What about nologin makes it *essential*
for system recovery or otherwise required for a system in an
extraordinary state?

Mike Stone

Christian Perrier wrote:

FWIW, nologin was in /sbin in BSD 4.4; this is almost certainly why
OpenBSD still has /sbin/nologin.

I moved FreeBSD's nologin to /usr/sbin two years ago, because
1. nologin needs to be statically linked to avoid linker environment
security issues,
2. logging attempts to log in to a nologinned account requires that
syslog code be pulled in (which significantly increases the size of
a statically linked binary),
3. we like to keep the root filesystem small, and
4. Since nologin is intended for use in multiuser mode, there's no
reason for it to be on the root filesystem -- in single user mode,
users who aren't supposed to be allowed to login will never get to
the point of running a shell (nologin or otherwise).

In short, under the BSD hierarchy rules, nologin should be in /usr/sbin;
any systems behaving otherwise are doing so for historical reasons only.

Colin Percival

From my reading, it isn't, since it isn't "required when no other
filesystems are mounted".  Obviously, I'm not familiar with your FHS, or
the historical interpretations thereof, though.

Ceri

Colin Percival:
Thanks a lot for taking time to detail all this. This is very helpful
to make a decision. I like such interesting collaboration.

The balance is currently more and more in favor of /usr/sbin for
Debian...which is nice because this is what we use right now..:-)

Reformulation: Jari, you need to bring strong arguments if you want us
to change this, now..:-). This is not a "go away" answer but I think
that maintaining your request for moving nologin to /bin will need you
to give work to our Technical Committee..:-)

| Colin Percival:
|
| > FWIW, nologin was in /sbin in BSD 4.4; this is almost certainly why
| > OpenBSD still has /sbin/nologin.
| >=20
| > I moved FreeBSD's nologin to /usr/sbin two years ago, because
|
|
| Thanks a lot for taking time to detail all this. This is very helpful
| to make a decision. I like such interesting collaboration.
|
| The balance is currently more and more in favor of /usr/sbin for
| Debian...which is nice because this is what we use right now..:-)
|
| Reformulation: Jari, you need to bring strong arguments if you want us
| to change this, now..:-). This is not a "go away" answer but I think
| that maintaining your request for moving nologin to /bin will need you
| to give work to our Technical Committee..:-)

Please go ahead, I have no objections. Glad to see this issue resolved.

Jari

Key word in this case is "avoiding". If some bad things sits in ld.so why
not fix this directly ?
Also strange thing IMO is in this case is nologin static linking. Yes I
know about ssh pass LD_* but IMO fixing this by static linking is
incorrect way because this is only next "avoiding" ..

kloczek

Tomasz K?oczko wrote:

FreeBSD's dynamic linker knows about the security issues involving LD_*
(set[ug]id binaries and noexec filesystems) and acts accordingly.  However,
/usr/sbin/nologin is not set[ug]id, and unlike other shells, we care if a
user can subvert it by preloading libraries.

Debian might have a different solution to this problem; but this one works
for FreeBSD.

Colin Percival

(shortening the CC list a little, assuming that ppl from the FreeBSD
project read freebsd-arch which seems likely)

To refix the context, Tomasz Klockzko, who you're answering to, is not
working in the Debian project, but is the upstream author of shadow,
which provides two binary packages in Debian, namely login and
passwd. nologin is provided in the "login" package.

So, in short, Tomasz does not really speak with a Debian-centric
reasoning but more with his upstream hat (upstream for "our" nologin
of course).

| Colin Percival:
|
| > FWIW, nologin was in /sbin in BSD 4.4; this is almost certainly why
| > OpenBSD still has /sbin/nologin.
| >=20
| > I moved FreeBSD's nologin to /usr/sbin two years ago, because
|
|
| Thanks a lot for taking time to detail all this. This is very helpful
| to make a decision. I like such interesting collaboration.
|
| The balance is currently more and more in favor of /usr/sbin for
| Debian...which is nice because this is what we use right now..:-)
|
| Reformulation: Jari, you need to bring strong arguments if you want us
| to change this, now..:-). This is not a "go away" answer but I think
| that maintaining your request for moving nologin to /bin will need you
| to give work to our Technical Committee..:-)

Please go ahead, I have no objections. Glad to see this issue resolved.

Jari

| Colin Percival:
|
| > FWIW, nologin was in /sbin in BSD 4.4; this is almost certainly why
| > OpenBSD still has /sbin/nologin.
| >=20
| > I moved FreeBSD's nologin to /usr/sbin two years ago, because
|
|
| Thanks a lot for taking time to detail all this. This is very helpful
| to make a decision. I like such interesting collaboration.
|
| The balance is currently more and more in favor of /usr/sbin for
| Debian...which is nice because this is what we use right now..:-)
|
| Reformulation: Jari, you need to bring strong arguments if you want us
| to change this, now..:-). This is not a "go away" answer but I think
| that maintaining your request for moving nologin to /bin will need you
| to give work to our Technical Committee..:-)

Please go ahead, I have no objections. Glad to see this issue resolved.

Jari

Hello,

Good morning,

We have gone through your samples from a partner and Here is our  Order
List. Please do bear in mind that we are very much in  need of this
order, quote your competitive prices.

Kindly send the Order confirmation.

Your early reply will be much appreciated.

Best Regards,

Maryanah Erwin.

PT FINDORA INTERNUSA

Jln Pahlawan 66 Kec. Arjawinangun

45162 CIREBON West-Java INDONESIA

tel : +62 231 357334

fax: +62 231 357260

email: marketing@findora.com

Hello,

Good morning,

We have gone through your samples from a partner and Here is our  Order
List. Please do bear in mind that we are very much in  need of this
order, quote your competitive prices.

Kindly send the Order confirmation.

Your early reply will be much appreciated.

Best Regards,

Maryanah Erwin.

PT FINDORA INTERNUSA

Jln Pahlawan 66 Kec. Arjawinangun

45162 CIREBON West-Java INDONESIA

tel : +62 231 357334

fax: +62 231 357260

email: marketing@findora.com

Hello,

Good morning,

We have gone through your samples from a partner and Here is our  Order
List. Please do bear in mind that we are very much in  need of this
order, quote your competitive prices.

Kindly send the Order confirmation.

Your early reply will be much appreciated.

Best Regards,

Maryanah Erwin.

PT FINDORA INTERNUSA

Jln Pahlawan 66 Kec. Arjawinangun

45162 CIREBON West-Java INDONESIA

tel : +62 231 357334

fax: +62 231 357260

email: marketing@findora.com

Hello,

Good morning,

We have gone through your samples from a partner and Here is our  Order
List. Please do bear in mind that we are very much in  need of this
order, quote your competitive prices.

Kindly send the Order confirmation.

Your early reply will be much appreciated.

Best Regards,

Maryanah Erwin.

PT FINDORA INTERNUSA

Jln Pahlawan 66 Kec. Arjawinangun

45162 CIREBON West-Java INDONESIA

tel : +62 231 357334

fax: +62 231 357260

email: marketing@findora.com