On 3/25/07, Bruce Dubbs <[EMAIL PROTECTED]> wrote: > Dan Nicholson wrote: > > On 3/25/07, Robert Connolly <[EMAIL PROTECTED]> wrote: > >> I dunno if any of you have tried it, but we can use nobody for the > >> Coreutils > >> tests. Add "nogroup" and "nobody" to /etc/group, and "nobody" in > >> /etc/passwd > >> in the "nobody" group. For the src/su command, add '-s /bin/sh' so > >> that /bin/false won't be used. > > > > That seems fine to me. > > I don't agree. The nobody user should never have a valid login shell or > home directory. If a temporary user is needed for the Coreutils tests, > add a temp user and then as the INSTALL file says, `sudo env > NON_ROOT_USERNAME=$USER make -k check`. Delete the temp user when done.
If I understand Robert correctly, the nobody user doesn't have to have a valid home directory or login shell. He's just saying to execute su -s /bin/bash ... so that /bin/false isn't used. You can does this anyway right now. # grep ^nobody /etc/passwd nobody:x:99:99:unprivileged nobody:/dev/null:/bin/false # su -s /bin/bash nobody -c "echo no home directory needed" no home directory needed Oh, we already create nobody:nobody in LFS, so we could do this right now. > I know we don't build sudo in LFS, but perhaps an equivalent su command > could be used. It works fine right now with the src/su that's built during coreutils. But one thing I want to try to do before 6.3 is build the non-suid su during Ch. 5 coreutils so that we can also switch users during the bash testsuite. > >> I'd also like to suggest we use /sbin/nologin (from Shadow), instead > >> of /bin/false. 'nologin' is the same as 'false', except it gives a polite > >> message explaining the account is suspended. It's intended for login > >> accounts, while /bin/false is intended for everything else. > > > > Also seems fine to me, but I have no idea what the > > history/implications of that change would be. > > Using /sbin/nologin to give a "polite" message for accounts that should > *never* be tried is overkill. To me, its not an accident and users > trying that don't need or deserve courtesy. I prefer /bin/false. > > That said, it doesn't make a practical difference. Sure. Maybe it's worth a mention that system users get /bin/false but that /sbin/nologin can also be used. In fact, I don't think that the /dev/null home directory, /bin/false login shell is currently explained anywhere in LFS or BLFS. The discussion would be good even if we don't change the current situation. I know it seemed strange to me the first time I saw one of those entries in passwd. -- Dan -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page