>nologin is listed in /etc/shells since 2002 [1]. This seems like a extraordinary mistake, and I agree with Jonathan Kamens' comment on the original ticket [1]. I note that his concerns were never adequately answered; the only response was a hand-wavy "well we did it and it doesn't seem to have broken". As an administrator, I would expect setting a user's shell to nologin to prevent all access to the system. As an example of where this expectation fails if nologin is listed in /etc/shells: vsftpd allows access to a "nologin" user (it uses pam_shells). I've read and re-read the original RFE [2]. The argument advanced for the change is "so that 'chsh' and other tools will allow its use without manual edit of /etc/passwd". I have no idea if that was true of chsh in RedHat 7.3, but in Fedora 24 chsh allows root to set any shell at all, with a warning if it doesn't exist, or isn't in /etc/shells. With nologin absent from /etc/shells, non-root users are prevented from using chsh to change their own shell to nologin, but this seems like a feature not a bug. I can imagine in my student days "chsh -s /sbin/nologin; clear" would have seemed like the ideal prank to type into an unattended terminal! Can anyone name the "other tools" that R P Herrold might have had in mind? I've found system-config-users which only allows setting a shell listed in /etc/shells. One remedy would be for system-config-users to follow the lead of chsh, and allow any shell to be set with a warning. [1] https://bugzilla.redhat.com/show_bug.cgi?id=53963#c6 [2] https://bugzilla.redhat.com/show_bug.cgi?id=53963#c0 Toby. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
