1) /sbin/nologin does display a nice message upon login, while /bin/false does not. 2) /sbin/nologin displays the message upon login regardless of whether it is in /etc/shells or not. These two sentences ^^ describe two independent properties. Nobody loses the "message upon login" feature of nologin by nologin being removed from shells.
Let's look at the history of /sbin/nologin. According to the OpenBSD man pages nologin was introduced in 4.4BSD. 4.4BSD has both /sbin/nologin [1] and /etc/shells [2]. /sbin/nologin is not in /etc/shells. (I tried to search for the string "nologin" to see whether there is a setup script that adds /sbin/nologin to /etc/shells and found nothing [6].) So, we might think the makers of nologin either didn't want to include it or made a mistake. Since the current OpenBSD still doesn't include /sbin/nologin in /etc/shells, I'd guess it has been intentional all along. The behavior of su in 4.4BSD is to disallow a change to a shell not listed in /etc/shells. su in 4.4BSD doesn't have the -s switch but does have the -m switch and it uses getusershell() [3]. getusershell() reads /etc/shells [4]. Internally, su has a function that changes the user shell (with -m) if it is in /etc/shells [5]. The original source code of su [5] is short and quite readable. It's clear that adding /sbin/nologin to /etc/shells in 4.4BSD would break the assumptions laid down by the man pages, the source code, and by the apparent meaning of nologin's name. The current man pages in Fedora do not suggest a change in the philosophy of /etc/shells, su, or nologin. [1] https://github.com/sergev/4.4BSD-Lite2/tree/master/usr/src/sbin/nologin [2] https://github.com/sergev/4.4BSD-Lite2/blob/master/etc/shells [3] http://man.openbsd.org/4.4BSD-Lite2/man1/su.1 [4] http://man.openbsd.org/4.4BSD-Lite2/getusershell.3 [5] https://github.com/sergev/4.4BSD-Lite2/blob/master/usr/src/usr.bin/su/su.c#L246 [6] https://github.com/sergev/4.4BSD-Lite2/search?p=1&q=nologin&utf8=%E2%9C%93 -- Jakub Svoboda / Red Hat Product Security
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
