From nobody Wed Dec 04 06:07:13 2024 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Y36W21k5Rz5g1mQ for ; Wed, 04 Dec 2024 06:07:26 +0000 (UTC) (envelope-from pprocacci@gmail.com) Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Y36W15fHxz4ZHn for ; Wed, 4 Dec 2024 06:07:25 +0000 (UTC) (envelope-from pprocacci@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-ej1-x631.google.com with SMTP id a640c23a62f3a-a9e44654ae3so835158866b.1 for ; Tue, 03 Dec 2024 22:07:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1733292444; x=1733897244; darn=freebsd.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=JcSCGro6s/kF/5v28qx3qp/pk7UlHOrx8PIZ662Eh9Y=; b=arLa8N+AQhqlpzPzmBc6QbZuNfzLD1wyity9V5VCTh+UIrujZLPIhnIa+cb4hi8ZsZ Ws9UT6xnqsVY2FFeoiQeZqn0ajqNJE0yEcA7zxLzP/StpZFyTTuiEMZxso13z9lx6VqC 8go70pHHFJoIjKFjYFdx16Ia10EgIXMShsFnOlBFAfxVzN3Ur3VlIvtbU/xJzQXwhEIv ogQkYoSt9H0xRZZWJXsVLJxuAuhJGrNQSIyNP5zzlGAuiJrO0ouI5d4/B2oqyx0LywUM E8jAG72osYqjxVGmippcXUhvFWM/svFqJFsEh4j6fPAWIMzThApnrkszMiMeo6BJS/Tu wvww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733292444; x=1733897244; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=JcSCGro6s/kF/5v28qx3qp/pk7UlHOrx8PIZ662Eh9Y=; b=anllzBtPzokd+DbaWo+76vBQgPP1AAlOuJNvaeMF1Bdmjr5XRnN9Z1H4XwDBaxC+Sn 70CHd8ZQbfLJLS3C7gw3sFCIiyv/1jgmdSk22ItsMUqNqxklxlGqFgGqjls3iRBTCsnB mQZkwkSRGv7XxsYIifE1Dcv5OAGyEkrzHt6l7UGWtqHGcmSjOqxCnVqftUay5v5bNXN8 7g3Qi5UQdmzAjNxXBZIP3Ef9um3XLBz4SbTgHAUnKw8jJZbQXEWLqxrvGKlqjS71tXS5 utjSaakQc8332LYP0iuXieXQkSjRM1pkEG1/p8Oxcp6hgR+qfCfuNTVUZzvtOSgiUZQI gYhA== X-Gm-Message-State: AOJu0Yy8Ap0zTvfUK6BqvSVXE6NkbA5/nVmUnaRb6jWBm34BXWLHiDYQ rIqd0686NtZaY69n5eUclnwag+w0mLDYdqjsKSo6Fnuz8B24be1n4dOXxLrWRZ0zv/JjgVz932e hU3WBDifIYa8dgcBSdrQbHuQgiHRR X-Gm-Gg: ASbGncvrLBrtEFZy5FnX98cvy8jPiJtp/Qtx36ieTFUBjqk2IziSL3615OaegTug3Wn 5nldyDDSIsFxX61WBr9+kv7z1j7Frcw== X-Google-Smtp-Source: AGHT+IHWdwz8fHJIcK2b21FE9jJIbHS4ChbnOTYb6sDU0fPfhzHG9m+L52xjwWLuJ+dqkUhxQYHVQRy6H5IRZOYzC3g= X-Received: by 2002:a17:907:784a:b0:a9a:67aa:31f5 with SMTP id a640c23a62f3a-aa5f7cc2eb6mr433639266b.10.1733292443360; Tue, 03 Dec 2024 22:07:23 -0800 (PST) List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 References: <41641e69-c7b4-4558-8d2c-e6f70906c893@heuristicsystems.com.au> In-Reply-To: <41641e69-c7b4-4558-8d2c-e6f70906c893@heuristicsystems.com.au> From: Paul Procacci Date: Wed, 4 Dec 2024 01:07:13 -0500 Message-ID: Subject: Re: Do we need both /nonexistent and /var/empty in /etc/passwd? To: Dewayne Geraghty Cc: questions@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US] X-Rspamd-Queue-Id: 4Y36W15fHxz4ZHn X-Spamd-Bar: ---- On Wed, Dec 4, 2024 at 12:14=E2=80=AFAM Dewayne Geraghty wrote: > > I'm making some minor tweaks to (hopefully) improve the consistency (and > perhaps security) of my systems. So I've added requirehome to login.com, > and everything still works :) > > This prompted me to examine /etc/passwd where some accounts use > /var/empty and others /nonexistent. Can anyone explain the need to have > both available, from either the functional or security perspective? > This is perplexing as the following standard accounts all use the > "shell" /usr/sbin/nologin? > > For reference, from /etc/passwd, the accounts with /var/empty: > sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin > _pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin > _dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin > auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nolo= gin > _ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin > hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin > > and those using home /nonexistent: > proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin > pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin > www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin > nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin > > I would've thought that /nonexistent is "better" but if a directory is > tested for existence when requirehome is used, then /var/empty makes > sense; but only with a shell other than nologin ?? > > So lets try changing sshd homedirectory, from /var/empty to > /nonexistent. The behaviour is unchanged, when I login to a nonpriv'ed > account > > # ps -axwwu|grep dewayne > dewayne 35394 0.0 0.5 23960 9436 - S 14:05 0:00.05 sshd: > dewayne@pts/1 (sshd) > # procstat -f 35394 > 35394 sshd cwd v d r------- - - - / > > I note that /var/empty can only be tested for existence unless root or > group wheel, > # ls -l /var | grep empty > dr-xr-xr-x 2 root wheel 512 21 Mar 2016 empty > > > So, is there a need to have both /var/empty and /nonexistent in /etc/pass= wd? > > FWIW: On servers with a few installed applications, I note: > # grep var/empty /etc/passwd | wc -l ; grep /nonexistent /etc/passwd | wc= -l > 18 > 49 > > Regards, Dewayne. > You need to read hier(7). ;) ~Paul --=20 __________________ :(){ :|:& };: