Bug#5212: xdm still allows login for /bin/true users

To: Branden Robinson <branden@debian.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>, 5212@bugs.debian.org, "H. S. Teoh" <hsteoh@quickfur.yi.org>
Subject: Bug#5212: xdm *still* allows login for /bin/true users
From: "H. S. Teoh" <hsteoh@quickfur.ath.cx>
Date: Tue, 10 Dec 2002 16:17:04 -0500
Message-id: <[🔎] 20021210211704.GA24316@crystal>
Reply-to: "H. S. Teoh" <hsteoh@quickfur.ath.cx>, 5212@bugs.debian.org
In-reply-to: <[🔎] 20021210175831.GD10345@apocalypse.deadbeast.net>
References: <20021130123507.GA26730@crystal> <E18IG6E-0002Sk-00@gondolin.me.apana.org.au> <[🔎] 20021210175831.GD10345@apocalypse.deadbeast.net>

On Tue, Dec 10, 2002 at 12:58:31PM -0500, Branden Robinson wrote:
> On Sun, Dec 01, 2002 at 09:28:34AM +1100, Herbert Xu wrote:
[snip]
> > What Steven Durham may have meant is that after switching to PAM, the
> > people who want to allow only FTP access can use something other than
> > /bin/true to do so, e.g., a simple list through pam_listfile.
> 
> Okay, I need an explicit recommendation for a course of action on this
> issue.

Well, you could either:

(1) decide this bug is a real problem, and so try to come up with a
    solution (perhaps forwarding it upstream); or,
(2) decide this bug is "bogus", as Herbert puts it, and just close it.

I don't think I am in the position to recommend either way.

Disregarding for a moment what fixing XDM would entail, the fundamental
question here seems to be whether setting a user's shell to /bin/false
implies that every program that performs login functions should disallow
logins as that user. The bug submitter obviously thinks so; but not
everyone may agree with that.

It seems to me that setting a user's login shell as /bin/true or
/bin/false to prevent logins is a historical artifact of how /bin/login
(one of several login applications) works. Obviously, FTP logins and XDM
logins (and other logins) work differently; whether or not that
constitutes a bug, I don't think I am qualified to answer. Should every
login program behave exactly like /bin/login? I don't know, but it does
seem a bit far-fetched. 

If PAM provides another way of prohibiting logins for specific users, then
this whole issue would be moot, IMHO. But judging by bugs and recent
questions on -devel about setting users' shells to /bin/false or
/bin/true, this feature, if it exists, isn't very well-known. Perhaps it
should be documented somewhere people will actually notice? :-) (A simple
"how to manage user accounts" document should do it... if there's already
such a document somewhere, we should add this to it.)

[Disclaimer: I do not know how PAM works. So I might just be totally off
the wall here, in which case, ignore me as you suggested. ;-) ]

> Does that mean "ignore Mr. Teoh"?  :)
[snip]

See above. :-)

T

-- 
Some people complain about the Instant Gratification Syndrome of today's
generation, and just *can't wait* to let everyone know that.

Reply to:

References:
- Bug#5212: xdm *still* allows login for /bin/true users
  - From: Branden Robinson <branden@debian.org>

Prev by Date: Bug#172325: xlibs fails to install (overwrite problems)
Next by Date: Bug#171294: xserver-xfree86: shift-num lock makes X beep alot
Previous by thread: Bug#5212: xdm *still* allows login for /bin/true users
Next by thread: Bug#171305: Xfree86 Package Configuration Failure
Index(es):
- Date
- Thread

Bug#5212: xdm *still* allows login for /bin/true users

Bug#5212: xdm still allows login for /bin/true users