useradd --system sets shell to bash

[stsp]

According to this article: https://www.baeldung.com/linux/create-non-login-user --system sets shell to /usr/sbin/nologin. This is a bit odd, given that /etc/shells has only /sbin/nologin but not /usr/sbin/nologin.

But in reality, useradd --system sets shell to /bin/bash, which is likely a security problem. Tested under fedora-40.

[ikerexxe]

Apparently this is also a problem in Debian. Do you mind opening a PR to set the shell to /sbin/nologin for system users?

[stsp]

Do you mind opening a PR to set the shell to /sbin/nologin for system users?

If its as simple as providing a hard-coded name, then yes. But shouldn't /etc/shells be consulted when selecting a nologin shell?

[ikerexxe]

If its as simple as providing a hard-coded name, then yes.

I don't think it will be as easy as that, as the default value is the one used for regular users. But I don't think it should be very difficult to implement.

But shouldn't /etc/shells be consulted when selecting a nologin shell?

I think so, but at least in Fedora there isn't any nologin shell.

$ cat /etc/shells 
/bin/sh
/bin/bash
/usr/bin/sh
/usr/bin/bash
/usr/bin/tmux
/bin/tmux
/bin/dash

[stsp]

Since we are at it, what should be done to the home dir? Even though the dir itself is not created, it is written into /etc/passwd. This is a bug, too, IMO. You are not supposed to write a non-existent dir as a home dir.

So what should useradd write to the home dir field? Some * or -? Or maybe /var/run/user/<uid>? What do you think?

[stsp]

Never mind, I filled #983 for that.

[hallyn]

The useradd manpage does not mention nologin being the shell for system accounts. And I don't see that it ever did. If you'd like a /etc/login.defs option to (optionally) separately set the system user shell, please re-open this issue, but that'll be a feature enhancement at this point.