On 2022-10-12 14:43:06 +0200, Michael Biebl wrote:
> Apparently you can still use su, sudo etc with --disabled-login. So I wonder
> if there is a real difference in practice to --disabled-password.

In some way, I would regard the command-via-ssh feature to behave
a bit like sudo: this is not a login, one just wants to run a
command (sudo is used to run it as another user, ssh is used to
run it remotely).

> In any case, apparently a "login" under that user has happened (via SSH I
> assume). Otherwise pam_systemd.so and `systemd --user` wouldn't have been
> triggered.

While I wanted to report a bug against adduser to ask for a
clarification, I saw:

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=625758
  'adduser --disabled-login' does not behave as documented.

reported 11 years ago and still open!

Last comment a few months ago

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=625758#72

with in particular:

- change and document (adduser(8)) that --disabled-password will behave
  like --disabled-login and additionally set the shell to
  /usr/sbin/nologin.
- --disabled-login and an explicitly set --shell is an error and will be
  flagged as such.

Using both --disabled-login and --shell was exactly what I did
(setting a shell was necessary to be able to run the command,
even though how the command is run is not mentioned in the sshd
man page).

-- 
Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply via email to