On 29 September 2016 at 04:54, Toby Goodwin <toby@xxxxxxxxxxx> wrote: >>nologin is listed in /etc/shells since 2002 [1]. > > This seems like a extraordinary mistake, and I agree with Jonathan > Kamens' comment on the original ticket [1]. I note that his concerns > were never adequately answered; the only response was a hand-wavy "well > we did it and it doesn't seem to have broken". One of the reasons for it to be in /etc/shells was that various audit systems failed an OS if it wasn't. [Various government and bank security audit tools have rules like https://www.stigviewer.com/stig/vmware_esxi_v5/2013-01-15/finding/GEN002140-ESXI5-000046 ] The second reason was that outside scripts would fail because chsh was giving an 'error' that nologin was not there. While it can be argued that these are problems with other parties what was happening is that they haven't been fixed in multiple years and everyone who had to have anything from a PCI to a .gov audit had to go put this in the file already. This basically then becomes a "do you need to manually add this on the system? [Y/N]" purchase checkmark for banks, credit card processors, government contractors. -- Stephen J Smoogen. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
