Closed stsp closed 3 months ago
Apparently this is also a problem in Debian. Do you mind opening a PR to set the shell to /sbin/nologin
for system users?
Do you mind opening a PR to set the shell to /sbin/nologin for system users?
If its as simple as providing a
hard-coded name, then yes.
But shouldn't /etc/shells
be
consulted when selecting a
nologin shell?
If its as simple as providing a hard-coded name, then yes.
I don't think it will be as easy as that, as the default value is the one used for regular users. But I don't think it should be very difficult to implement.
But shouldn't
/etc/shells
be consulted when selecting a nologin shell?
I think so, but at least in Fedora there isn't any nologin shell.
$ cat /etc/shells
/bin/sh
/bin/bash
/usr/bin/sh
/usr/bin/bash
/usr/bin/tmux
/bin/tmux
/bin/dash
Since we are at it, what should be done to the home dir? Even though the dir itself is not created, it is written into /etc/passwd. This is a bug, too, IMO. You are not supposed to write a non-existent dir as a home dir.
So what should useradd write to the
home dir field? Some *
or -
? Or
maybe /var/run/user/<uid>
?
What do you think?
Never mind, I filled #983 for that.
The useradd manpage does not mention nologin being the shell for system accounts. And I don't see that it ever did. If you'd like a /etc/login.defs option to (optionally) separately set the system user shell, please re-open this issue, but that'll be a feature enhancement at this point.
According to this article: https://www.baeldung.com/linux/create-non-login-user
--system
sets shell to/usr/sbin/nologin
. This is a bit odd, given that/etc/shells
has only/sbin/nologin
but not/usr/sbin/nologin
.But in reality,
useradd --system
sets shell to/bin/bash
, which is likely a security problem. Tested under fedora-40.