Oddities in "shell" column of /etc/passwd (Was Re: OpenSSH, ...)

From: Juha Laiho (Juha.Laiho@iki.fi)
Date: 06/23/02


From: Juha Laiho <Juha.Laiho@iki.fi>
Date: Sun, 23 Jun 2002 07:57:01 GMT

Kasper Dupont <kasperd@daimi.au.dk> said:
>Jem Berkes wrote:
>> Apparently the new OpenSSH 3.3 (released yesterday) has privilage
>> separation enabled by default, as described here:
>> http://www.citi.umich.edu/u/provos/ssh/privsep.html
...
>> Is this the correct way to create a dummy user?
>>
>> sshd:*:54333:54333:sshd:/no/where:/no/shell
>
>The format is correct.
...
>Your choice of home and shell is unusual. I just verified
>what nobody used on different systems, the home was set to
>either / or /dev/null, and the shell was set to either
>/sbin/nologin or /dev/null.

I've had some use for at least dummy shell fields; IIRC was something
related to having people valid accounts on a machine to connect with
ftp (the ftpd required that the shell be listed in /etc/shells, so the
nonexistent dummy shell was listed there). There was also some reason
not to use /bin/false or /sbin/nologin or somesuch - but it's some time
since I left the environment where I needed that, so the details escape.

To top it all, this was a NIS environment, so the shell field was set
with the NIS 'catch-all'-functionality, i.e. the users had completely
valid accounts via NIS on most of the other machines, but for the
ftp-only machine the accounts were provided with something like
+::::::/no/shell
and specifying "passwd: compat" in nsswitch.conf.

The NIS netgroups also provided a handy syntax for recognising all the
known users on each machine, but only allow logins for a certain group
on a single machine. Netgroups were also used to limit NFS exports.

No, was not a hacker-proof environment, but was a working one. The users
could be trusted and outside access was denied, so the inherent problems
with NIS (public passwd maps) and NFS (identity-spoofing clients) were
not an issue, so the technologies could be used.

-- 
Wolf  a.k.a.  Juha Laiho     Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)



Relevant Pages

  • Oddities in "shell" column of /etc/passwd (Was Re: OpenSSH, ...)
    ... I've had some use for at least dummy shell fields; ... since I left the environment where I needed that, ... To top it all, this was a NIS environment, so the shell field was set ... valid accounts via NIS on most of the other machines, ...
    (comp.os.linux.security)
  • Re: Environment variable not remembered outside a script?
    ... After executing the two files (.zshrc is already executed when I opened the ... This is a difference between running a script and sourcing it. ... and any environment variables it sets are ... themselves are not a shell feature but are actually part of the UNIX ...
    (comp.unix.shell)
  • Re: Possible to define a variable for only certain directories?
    ... allows such customizations upon the environment on a per- ... this is useful only if the user or script ... configuration files, environment variables, command line options, and ... commands to the CDE Window Manager from a shell ...
    (comp.unix.shell)
  • Re: env -i x=9 bash -c x=4;bash -c "echo x: /$x/" # try w/o x=9
    ... Alan Curry wrote: ... environment of the calling program. ... Also the shell parameter expansion syntax "$x" doesn't distinguish between ... it can not just "mark env vars" as exported, ...
    (comp.unix.shell)
  • Re: env -i x=9 bash -c x=4;bash -c "echo x: /$x/" # try w/o x=9
    ... execve or execle can be called with an envp that is unrelated to the current ... environment of the calling program. ... Also the shell parameter expansion syntax "$x" doesn't distinguish between ... In C, since there's no "$x" variable expansion, there's no confusion between ...
    (comp.unix.shell)