On 3/25/07, Bruce Dubbs <[EMAIL PROTECTED]> wrote:
> Dan Nicholson wrote:
> > On 3/25/07, Robert Connolly <[EMAIL PROTECTED]> wrote:
> >> I dunno if any of you have tried it, but we can use nobody for the 
> >> Coreutils
> >> tests. Add "nogroup" and "nobody" to /etc/group, and "nobody" in 
> >> /etc/passwd
> >> in the "nobody" group. For the src/su command, add '-s /bin/sh' so
> >> that /bin/false won't be used.
> >
> > That seems fine to me.
>
> I don't agree.  The nobody user should never have a valid login shell or
> home directory.  If a temporary user is needed for the Coreutils tests,
> add a temp user and then as the INSTALL file says, `sudo env
> NON_ROOT_USERNAME=$USER make -k check`.  Delete the temp user when done.

If I understand Robert correctly, the nobody user doesn't have to have
a valid home directory or login shell. He's just saying to execute su
-s /bin/bash ... so that /bin/false isn't used. You can does this
anyway right now.

# grep ^nobody /etc/passwd
nobody:x:99:99:unprivileged nobody:/dev/null:/bin/false
# su -s /bin/bash nobody -c "echo no home directory needed"
no home directory needed

Oh, we already create nobody:nobody in LFS, so we could do this right now.

> I know we don't build sudo in LFS, but perhaps an equivalent su command
> could be used.

It works fine right now with the src/su that's built during coreutils.
But one thing I want to try to do before 6.3 is build the non-suid su
during Ch. 5 coreutils so that we can also switch users during the
bash testsuite.

> >> I'd also like to suggest we use /sbin/nologin (from Shadow), instead
> >> of /bin/false. 'nologin' is the same as 'false', except it gives a polite
> >> message explaining the account is suspended. It's intended for login
> >> accounts, while /bin/false is intended for everything else.
> >
> > Also seems fine to me, but I have no idea what the
> > history/implications of that change would be.
>
> Using /sbin/nologin to give a "polite" message for accounts that should
> *never* be tried is overkill.  To me, its not an accident and users
> trying that don't need or deserve courtesy.  I prefer /bin/false.
>
> That said, it doesn't make a practical difference.

Sure. Maybe it's worth a mention that system users get /bin/false but
that /sbin/nologin can also be used. In fact, I don't think that the
/dev/null home directory, /bin/false login shell is currently
explained anywhere in LFS or BLFS. The discussion would be good even
if we don't change the current situation. I know it seemed strange to
me the first time I saw one of those entries in passwd.

--
Dan
-- 
http://linuxfromscratch.org/mailman/listinfo/lfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page

Reply via email to