useradd --system sets shell to bash
stsp opened this issue · 6 comments
According to this article:
https://www.baeldung.com/linux/create-non-login-user
--system sets shell to /usr/sbin/nologin.
This is a bit odd, given that /etc/shells has
only /sbin/nologin but not /usr/sbin/nologin.
But in reality, useradd --system sets shell to
/bin/bash, which is likely a security problem.
Tested under fedora-40.
Apparently this is also a problem in Debian. Do you mind opening a PR to set the shell to /sbin/nologin for system users?
Do you mind opening a PR to set the shell to /sbin/nologin for system users?
If its as simple as providing a
hard-coded name, then yes.
But shouldn't /etc/shells be
consulted when selecting a
nologin shell?
If its as simple as providing a hard-coded name, then yes.
I don't think it will be as easy as that, as the default value is the one used for regular users. But I don't think it should be very difficult to implement.
But shouldn't
/etc/shellsbe consulted when selecting a nologin shell?
I think so, but at least in Fedora there isn't any nologin shell.
$ cat /etc/shells
/bin/sh
/bin/bash
/usr/bin/sh
/usr/bin/bash
/usr/bin/tmux
/bin/tmux
/bin/dash
Since we are at it, what should be
done to the home dir? Even though
the dir itself is not created, it is written
into /etc/passwd.
This is a bug, too, IMO. You are not
supposed to write a non-existent dir
as a home dir.
So what should useradd write to the
home dir field? Some * or -? Or
maybe /var/run/user/<uid>?
What do you think?
The useradd manpage does not mention nologin being the shell for system accounts. And I don't see that it ever did. If you'd like a /etc/login.defs option to (optionally) separately set the system user shell, please re-open this issue, but that'll be a feature enhancement at this point.