Forums

Dmitry
Dmitry
Offline
Resolved
0 votes
Centos 7 remove /sbin/nologin from /etc/shell , this happens at October 30,2018, and all users, even only mail or vpn , have shell access to server. It's really nesessary, or /sbin/nologin can be added to /etc/shell? Nothing will be broken?
Monday, July 01 2019, 03:57 PM
Share this post:
Responses (4)
  • Accepted Answer

    Monday, July 01 2019, 08:30 PM - #Permalink
    Resolved
    0 votes
    Confirmed. Bug report is here:

    https://gitlab.com/clearos/clearfoundation/app-shell-extension/issues/1

    This will affect all 7.6 installations that were NOT previously installed with 7.5. Some 7.5 installs may be affected but all new user adds after the patch from upstream will be affected.

    You can read more about the reasons why they 'fixed' this here:

    https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/UCUWTT63JS72R7ROFE46ZVUZLFN3K2MZ/
    The reply is currently minimized Show
  • Accepted Answer

    Monday, July 01 2019, 09:14 PM - #Permalink
    Resolved
    0 votes
    I would like to push this out tomorrow and fast track it to ClearOS Business as well since it is kinda security related.

    yum --enablerepo=clearos-updates-testing update app-base


    http://koji.clearos.com/koji/taskinfo?taskID=24319

    BTW, this fix will NOT remove entries to the /etc/shells file but rather introduces the nologin option only on the menu. If you end up with two on your list this means that you are vulnerable to the issues discussed here and you should remove it so that your file comports. Look to see if you have an /etc/shells.rpmnew and consider replacing your /etc/shells with it.

    https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/UCUWTT63JS72R7ROFE46ZVUZLFN3K2MZ/
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, July 02 2019, 08:32 AM - #Permalink
    Resolved
    0 votes
    @Dave,
    Something has fallen over and koji has not pushed to the repos (there are other problems in the repos as well at the moment), so no one can test.

    FWIW updates-testing on newyork1 is empty! On singapore1 it is populated with what there was before yesterday, so only app-base-2.7.1.

    I have tried patching manually with weird results. The first time I patched, and the first time only, /sbin/nologin went to the bottom of the login shell list so the default was /bin/sh. Not good. I then added /usr/sbin/nologon to the list and /sbin/nologon went to the top of the list and became the default. From then, every time I changed get_list(), either /sbin/nlogon or /usr/sbin/nologon appeared at the top of the list.

    As a comment, to be consistent with /etc/shells and the old list, shouldn't /usr/sbin/nologon also be added to get_list()?
            array_unshift($list, "/sbin/nologin", "/usr/sbin/nologin");
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, July 02 2019, 06:28 PM - #Permalink
    Resolved
    0 votes
    This is my fault, I didn't properly hard link the files on the new ISO and OS build migration and cause the mirrors to run out of space. So they are inconsistent. This problem will clear soon. I've updated the package with your suggestion and built it.
    The reply is currently minimized Show
Your Reply