Do we need both /nonexistent and /var/empty in /etc/passwd?

Reply: Paul Procacci : "Re: Do we need both /nonexistent and /var/empty in /etc/passwd?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Dewayne Geraghty <dewayne_at_heuristicsystems.com.au>
Date: Wed, 04 Dec 2024 05:13:34 UTC

I'm making some minor tweaks to (hopefully) improve the consistency (and 
perhaps security) of my systems. So I've added requirehome to login.com, 
and everything still works :)

This prompted me to examine /etc/passwd where some accounts use 
/var/empty and others /nonexistent.  Can anyone explain the need to have 
both available, from either the functional or security perspective? 
This is perplexing as the following standard accounts all use the 
"shell" /usr/sbin/nologin?

For reference, from /etc/passwd, the accounts with /var/empty:
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
_ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin

and those using home /nonexistent:
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin

I would've thought that /nonexistent is "better" but if a directory is 
tested for existence when requirehome is used, then /var/empty makes 
sense; but only with a shell other than nologin ??

So lets try changing sshd homedirectory, from /var/empty to 
/nonexistent.  The behaviour is unchanged, when I login to a nonpriv'ed 
account

# ps -axwwu|grep dewayne
dewayne 35394   0.0  0.5 23960 9436  -  S    14:05      0:00.05 sshd: 
dewayne@pts/1 (sshd)
# procstat -f 35394
35394 sshd               cwd v d r-------   -       - -   /

I note that /var/empty can only be tested for existence unless root or 
group wheel,
# ls -l /var | grep empty
dr-xr-xr-x   2 root    wheel     512 21 Mar  2016 empty


So, is there a need to have both /var/empty and /nonexistent in /etc/passwd?

FWIW: On servers with a few installed applications, I note:
# grep var/empty /etc/passwd | wc -l ; grep /nonexistent /etc/passwd | wc -l
       18
       49

Regards, Dewayne.