Re: Do we need both /nonexistent and /var/empty in /etc/passwd?

Reply: Dewayne Geraghty : "Re: Do we need both /nonexistent and /var/empty in /etc/passwd?"
In reply to: Dewayne Geraghty : "Do we need both /nonexistent and /var/empty in /etc/passwd?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Paul Procacci <pprocacci_at_gmail.com>
Date: Wed, 04 Dec 2024 06:07:13 UTC

On Wed, Dec 4, 2024 at 12:14 AM Dewayne Geraghty
<dewayne@heuristicsystems.com.au> wrote:
>
> I'm making some minor tweaks to (hopefully) improve the consistency (and
> perhaps security) of my systems. So I've added requirehome to login.com,
> and everything still works :)
>
> This prompted me to examine /etc/passwd where some accounts use
> /var/empty and others /nonexistent.  Can anyone explain the need to have
> both available, from either the functional or security perspective?
> This is perplexing as the following standard accounts all use the
> "shell" /usr/sbin/nologin?
>
> For reference, from /etc/passwd, the accounts with /var/empty:
> sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
> _pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
> _dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
> auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
> _ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
> hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
>
> and those using home /nonexistent:
> proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
> pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
> www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
> nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
>
> I would've thought that /nonexistent is "better" but if a directory is
> tested for existence when requirehome is used, then /var/empty makes
> sense; but only with a shell other than nologin ??
>
> So lets try changing sshd homedirectory, from /var/empty to
> /nonexistent.  The behaviour is unchanged, when I login to a nonpriv'ed
> account
>
> # ps -axwwu|grep dewayne
> dewayne 35394   0.0  0.5 23960 9436  -  S    14:05      0:00.05 sshd:
> dewayne@pts/1 (sshd)
> # procstat -f 35394
> 35394 sshd               cwd v d r-------   -       - -   /
>
> I note that /var/empty can only be tested for existence unless root or
> group wheel,
> # ls -l /var | grep empty
> dr-xr-xr-x   2 root    wheel     512 21 Mar  2016 empty
>
>
> So, is there a need to have both /var/empty and /nonexistent in /etc/passwd?
>
> FWIW: On servers with a few installed applications, I note:
> # grep var/empty /etc/passwd | wc -l ; grep /nonexistent /etc/passwd | wc -l
>        18
>        49
>
> Regards, Dewayne.
>

You need to read hier(7).

;)

~Paul

-- 
__________________

:(){ :|:& };: