From nobody@FreeBSD.org  Thu Sep 16 06:37:38 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C448F16A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 16 Sep 2004 06:37:38 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9CE5943D5D
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 16 Sep 2004 06:37:38 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.11/8.12.11) with ESMTP id i8G6bcFh075458
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 16 Sep 2004 06:37:38 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.11/8.12.11/Submit) id i8G6bcLG075457;
	Thu, 16 Sep 2004 06:37:38 GMT
	(envelope-from nobody)
Message-Id: <200409160637.i8G6bcLG075457@www.freebsd.org>
Date: Thu, 16 Sep 2004 06:37:38 GMT
From: Andrew Hayden <andrew.hayden@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: adduser breaks if /sbin/nologin is included in /etc/shells
X-Send-Pr-Version: www-2.3

>Number:         71786
>Category:       bin
>Synopsis:       [patch] adduser breaks if /sbin/nologin is included in /etc/shells
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 16 06:40:19 GMT 2004
>Closed-Date:    Sun Jan 27 08:18:52 UTC 2008
>Last-Modified:  Sun Jan 27 08:18:52 UTC 2008
>Originator:     Andrew Hayden
>Release:        5.2.1
>Organization:
>Environment:
FreeBSD server1.aexx.net 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #0: Mon Feb 23 20:45:55 GMT 2004 root@wv1u.btc.adaptec.com:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
Background:
I build & installed proftpd.  I created a test user whose shell was set to '/sbin/nologin' by running adduser and specifying 'nologin' as the shell.  Then, I tried to log in to proftpd and realized that since /etc/shells doesn't contain '/sbin/nologin', proftpd would not allow me to log in.  So, I added '/sbin/nologin' to /etc/shells.

Now that I have done this, the adduser command is unable to add users whose shell is 'nologin'.  It corrupts /etc/master.passwd and requires user intervention to repair (via vipw, then pwd_mkdb -p /etc/master.passwd).

It appears that adduser chokes when /sbin/nologin is present in /etc/shells.

Here is relevant output from a session...

****BEGIN CLIP ****
root@server1[~/scripts/management]# adduser
Username: test
Full name:
Uid (Leave empty for default):
Login group [test]:
Login group is test. Invite test into other groups? []:
Login class [default]:
Shell (sh csh tcsh nologin bash false nologin) [sh]: nologin
Home directory [/home/test]:
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]: yes
Lock out the account after creation? [no]:
Username   : test
Password   : <random>
Full Name  :
Uid        : 1004
Class      :
Groups     : test
Home       : /home/test
Shell      : /sbin/nologin
/sbin/nologin
Locked     : no
OK? (yes/no): yes
pwd_mkdb: corrupted entry
pwd_mkdb: at line #26
pwd_mkdb: /etc/master.passwd: Inappropriate file type or format
pw: passwd file update: Inappropriate ioctl for device
adduser: ERROR: There was an error adding user (test).
Add another user? (yes/no): no
Goodbye!

root@server1[~/scripts/management]# cat /etc/shells
# $FreeBSD: src/etc/shells,v 1.5 2000/04/27 21:58:46 ache Exp $
#
# List of acceptable shells for chpass(1).
# Ftpd will not allow users to connect who are not using
# one of these shells.

/bin/sh
/bin/csh
/bin/tcsh
/sbin/nologin
/usr/local/bin/bash
/usr/bin/false

root@server1[~/scripts/management]# cat /etc/master.passwd
# $FreeBSD: src/etc/master.passwd,v 1.34 2003/04/27 05:45:29 imp Exp $
#
[[[ lots of stuff omitted for bug report, next line is line 23]]]
aexx:[omitted for bug report]:1003:1003::0:0:Aexx:/home/aexx:/sbin/nologin

test:$1$1k7RDJ9C$fqwDyAI8dBzN63sSi7Ly..:1004:1004::0:0:User &:/home/test:/sbin/nologin
/sbin/nologin
**** END CLIP ****
>How-To-Repeat:
1. Ensure that /etc/shells does not contain '/sbin/nologin'.
2. Create a user with 'adduser' whose shell is 'nologin'.
3. Delete that user.
4. Add '/sbin/nologin' to /etc/shells.
5. Repeat step 2 exactly as you did before.
6. Examine /etc/master.passwd with vipw and confirm corrupted entry.
>Fix:
      
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: roam 
State-Changed-When: Thu Sep 16 11:26:10 GMT 2004 
State-Changed-Why:  
It seems that there is indeed a problem in adduser's handling of the 
nologin shell.  In the fullpath_from_shell() function, the 'return' 
within the while/case/if will only return from the new shell instance 
created due to the "cat ${ETCSHELLS}" pipe, and will *not* stop the 
shell from executing the nologin special case test.  Thus, 
fullpath_from_shell() will output *two* lines containing nologin, and 
those two lines will be what is added to the end of master.passwd's new 
user line. 

Can you try the following patch?  Basically, in the 
fullpath_from_shell() function, move the nologin special case test 
before the cat | while loop. 

Index: src/usr.sbin/adduser/adduser.sh 
=================================================================== 
RCS file: /home/ncvs/src/usr.sbin/adduser/adduser.sh,v 
retrieving revision 1.20 
diff -u -r1.20 adduser.sh 
--- src/usr.sbin/adduser/adduser.sh	24 Jun 2003 15:20:43 -0000	1.20 
+++ src/usr.sbin/adduser/adduser.sh	16 Sep 2004 11:24:30 -0000 
@@ -123,6 +123,12 @@ 
_shell=$1 
[ -z "$_shell" ] && return 1 

+	# /sbin/nologin is a special case 
+	if [ "$_shell" = "${NOLOGIN}" ]; then 
+		echo ${NOLOGIN_PATH} 
+		return 0; 
+	fi 
+ 
cat ${ETCSHELLS} | 
while read _path _junk ; do 
case "$_path" in 
@@ -137,12 +143,6 @@ 
esac 
done 

-	# /sbin/nologin is a special case 
-	if [ "$_shell" = "${NOLOGIN}" ]; then 
-		echo ${NOLOGIN_PATH} 
-		return 0; 
-	fi 
- 
return 1 
} 


http://www.freebsd.org/cgi/query-pr.cgi?pr=71786 

From: Peter Pentchev <roam@ringlet.net>
To: bug-followup@FreeBSD.org
Cc: andrew.hayden@gmail.com
Subject: Re: bin/71786: adduser breaks if /sbin/nologin is included in /etc/shells
Date: Thu, 16 Sep 2004 14:45:32 +0300

 On Thu, Sep 16, 2004 at 11:31:18AM +0000, Peter Pentchev wrote:
 [snip]
 > It seems that there is indeed a problem in adduser's handling of the
 > nologin shell.  In the fullpath_from_shell() function, the 'return'
 > within the while/case/if will only return from the new shell instance
 > created due to the "cat ${ETCSHELLS}" pipe, and will *not* stop the
 > shell from executing the nologin special case test.  Thus,
 > fullpath_from_shell() will output *two* lines containing nologin, and
 > those two lines will be what is added to the end of master.passwd's new
 > user line.
 > 
 > Can you try the following patch?  Basically, in the
 > fullpath_from_shell() function, move the nologin special case test
 > before the cat | while loop.
 
 FWIW, for 6.x-CURRENT and 5.3-BETA this patch would assume the following
 shape.  Source committers, please treat this as a request for pre-commit
 review - I could commit this if no one has any objections:
 
 Index: src/usr.sbin/adduser/adduser.sh
 ===================================================================
 RCS file: /home/ncvs/src/usr.sbin/adduser/adduser.sh,v
 retrieving revision 1.24
 diff -u -r1.24 adduser.sh
 --- src/usr.sbin/adduser/adduser.sh	28 Aug 2004 14:32:10 -0000	1.24
 +++ src/usr.sbin/adduser/adduser.sh	16 Sep 2004 11:43:23 -0000
 @@ -126,6 +126,13 @@
  	_shell=$1
  	[ -z "$_shell" ] && return 1
  
 +	# /usr/sbin/nologin is a special case
 +	if [ "$_shell" = "${NOLOGIN}" -o \
 +	    "$_shell" = "${NOLOGIN_PATH}" ]; then
 +		echo ${NOLOGIN_PATH}
 +		return 0;
 +	fi
 +
  	cat ${ETCSHELLS} |
  	while read _path _junk ; do
  		case "$_path" in
 @@ -141,13 +148,6 @@
  		esac
  	done
  
 -	# /usr/sbin/nologin is a special case
 -	if [ "$_shell" = "${NOLOGIN}" -o \
 -	    "$_shell" = "${NOLOGIN_PATH}" ]; then
 -		echo ${NOLOGIN_PATH}
 -		return 0;
 -	fi
 -
  	return 1
  }
  
 
 
 G'luck,
 Peter
 
 -- 
 Peter Pentchev	roam@ringlet.net    roam@cnsys.bg    roam@FreeBSD.org
 PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
 Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
 This sentence was in the past tense.

From: Andrew Hayden <andrew.hayden@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org, andrew.hayden@gmail.com
Cc:  
Subject: Re: bin/71786: adduser breaks if /sbin/nologin is included in /etc/shells
Date: Thu, 16 Sep 2004 12:48:33 -0400

 This patch worked flawlessly.  Nice job!
 
 -Andrew Hayden
State-Changed-From-To: feedback->analyzed 
State-Changed-By: kris 
State-Changed-When: Sat Jul 30 01:02:12 GMT 2005 
State-Changed-Why:  
Submitter reports patch fixes issue, awaiting commit. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71786 
State-Changed-From-To: analyzed->closed 
State-Changed-By: mtm 
State-Changed-When: Sun Jan 27 08:17:35 UTC 2008 
State-Changed-Why:  
This was commited in rev. 1.25 on 2004/09/23 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71786 
>Unformatted:
