System accounts with valid shells

To: debian-devel@lists.debian.org, cjwatson@debian.org, Phillip Susi <psusi@ubuntu.com>
Subject: System accounts with valid shells
From: Russ Allbery <rra@debian.org>
Date: Fri, 01 Nov 2013 09:26:15 -0700
Message-id: <[🔎] 87eh70jdg8.fsf@windlord.stanford.edu>

(Apologies to Colin and Phillip for the duplicate.  It helps if I send to
the right debian-devel list.)

Hello all,

Debian currently creates most of its system users with a valid shell of
/bin/sh.  I was reminded of this problem by the recent closure of #588367,
and bug #274229 against base-passwd is still open and has been for years.
Phillip rightfully is following the precedent of base-passwd, but I think
this is globally incorrect and should be fixed everywhere.

I realize the theory is that this doesn't matter, since the accounts are
locked in /etc/shadow.  However, there are ways to configure a system
where that may or may not be honored for every possible authentication
path (such as Kerberos authentications where the existence of the account
is checked but the PAM stack is not run, or where /etc/shadow is ignored
in favor of some other data source due to nsswitch configuration).  It
increases the risk that a user may be able to log on to a system account
if there is a conflict between some other source of authentication
information (local Kerberos, LDAP, etc.) and the local /etc/passwd and
/etc/shadow files.

That being said, the *primary* reason that I would like to see this
changed is that the valid shells are an audit finding in literally every
system-level audit that we go through, and every time that happens I have
to explain again why it's probably safe (or diverge from Debian and deal
with prompts every time base-passwd is upgraded).  This is a standard
checkbox on a UNIX system audit, and this default honestly makes Debian
look bad, even if it's a trivial matter.

Even if the risk is low, I see absolutely no reason why these accounts
should have valid shells, and therefore don't understand why we wouldn't
want to just change them to /usr/sbin/nologin.  The local administrator
has other ways of getting a shell with that account by overriding the
shell with su, etc., if they really want to interactively be that user.

Colin, this bug has been dormant for a very long time, and I've previously
pinged it with no response.  Is that just due to lack of time, or were you
not sure whether this should change?  Is this something for which you want
the broader advice of the project or the technical committee?

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: System accounts with valid shells
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Bug#728466: ITP: libtypes-path-tiny-perl -- Path::Tiny types and coercions for Moose and Moo
Next by Date: Bug#728465: general: Battery status indicator says "not present"
Previous by thread: Bug#728466: ITP: libtypes-path-tiny-perl -- Path::Tiny types and coercions for Moose and Moo
Next by thread: Re: System accounts with valid shells
Index(es):
- Date
- Thread