From nobody Wed Dec 04 05:13:34 2024 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Y35KD43dDz5fwky for ; Wed, 04 Dec 2024 05:13:52 +0000 (UTC) (envelope-from dewayne@heuristicsystems.com.au) Received: from heuristicsystems.com.au (hermes.heuristicsystems.com.au [203.41.22.115]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2560 bits) client-digest SHA256) (Client CN "hermes.heuristicsystems.com.au", Issuer "Heuristic Systems Type 4 Host CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Y35K95dPxz4Tct for ; Wed, 4 Dec 2024 05:13:49 +0000 (UTC) (envelope-from dewayne@heuristicsystems.com.au) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=heuristicsystems.com.au header.s=hsa header.b=T7r6J6S9; spf=pass (mx1.freebsd.org: domain of dewayne@heuristicsystems.com.au designates 203.41.22.115 as permitted sender) smtp.mailfrom=dewayne@heuristicsystems.com.au; dmarc=none Received: from [10.0.5.4] (bigears.hs [10.0.5.4]) (authenticated bits=0) by heuristicsystems.com.au (8.15.2/8.15.2) with ESMTPA id 4B45DXJo064893 for ; Wed, 4 Dec 2024 16:13:36 +1100 (AEDT) (envelope-from dewayne@heuristicsystems.com.au) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=heuristicsystems.com.au; s=hsa; t=1733289216; x=1733894017; bh=rn47ONZg0PRsTXU8m+NU7ydPQ72z8lL9X1WgVz8uh5g=; h=Message-ID:Date:To:From:Subject; b=T7r6J6S9hpgsdFbw+whODkJPm3lmOKqfDP+sgjyrBehu4b37g3q1dV87PyxHhLvcI VAaz2C6zaitVbTPOKZt2NK+xnT4mfpF4l3iNoQcz7u9Dxpw4eqaTlZCS4W5UKYVsFn giFuUwieGKXfaPgJfxJv3wYcMIGIlZeiGzb0pKR34F0p3AA1Ut9VA X-Authentication-Warning: b3.hs: Host bigears.hs [10.0.5.4] claimed to be [10.0.5.4] Message-ID: <41641e69-c7b4-4558-8d2c-e6f70906c893@heuristicsystems.com.au> Date: Wed, 4 Dec 2024 16:13:34 +1100 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-GB To: questions@freebsd.org From: Dewayne Geraghty Subject: Do we need both /nonexistent and /var/empty in /etc/passwd? Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Result: default: False [-5.09 / 15.00]; DWL_DNSWL_MED(-2.00)[heuristicsystems.com.au:dkim]; NEURAL_HAM_LONG(-1.00)[-1.000]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; R_DKIM_ALLOW(-0.20)[heuristicsystems.com.au:s=hsa]; RCVD_IN_DNSWL_MED(-0.20)[203.41.22.115:from]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; ONCE_RECEIVED(0.10)[]; XM_UA_NO_VERSION(0.01)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[heuristicsystems.com.au]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_ONE(0.00)[1]; DKIM_TRACE(0.00)[heuristicsystems.com.au:+]; RCVD_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:1221, ipnet:203.40.0.0/13, country:AU]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; MID_RHS_MATCH_FROM(0.00)[]; MLMMJ_DEST(0.00)[questions@freebsd.org]; RCVD_VIA_SMTP_AUTH(0.00)[]; HAS_XAW(0.00)[] X-Rspamd-Queue-Id: 4Y35K95dPxz4Tct X-Spamd-Bar: ----- I'm making some minor tweaks to (hopefully) improve the consistency (and perhaps security) of my systems. So I've added requirehome to login.com, and everything still works :) This prompted me to examine /etc/passwd where some accounts use /var/empty and others /nonexistent. Can anyone explain the need to have both available, from either the functional or security perspective? This is perplexing as the following standard accounts all use the "shell" /usr/sbin/nologin? For reference, from /etc/passwd, the accounts with /var/empty: sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin _pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin _dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin _ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin and those using home /nonexistent: proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin I would've thought that /nonexistent is "better" but if a directory is tested for existence when requirehome is used, then /var/empty makes sense; but only with a shell other than nologin ?? So lets try changing sshd homedirectory, from /var/empty to /nonexistent. The behaviour is unchanged, when I login to a nonpriv'ed account # ps -axwwu|grep dewayne dewayne 35394 0.0 0.5 23960 9436 - S 14:05 0:00.05 sshd: dewayne@pts/1 (sshd) # procstat -f 35394 35394 sshd cwd v d r------- - - - / I note that /var/empty can only be tested for existence unless root or group wheel, # ls -l /var | grep empty dr-xr-xr-x 2 root wheel 512 21 Mar 2016 empty So, is there a need to have both /var/empty and /nonexistent in /etc/passwd? FWIW: On servers with a few installed applications, I note: # grep var/empty /etc/passwd | wc -l ; grep /nonexistent /etc/passwd | wc -l 18 49 Regards, Dewayne.