Cleaning up the users and locking down the shells in /etc/passwd
cjwatson at ubuntu.com
Sat Sep 24 16:48:08 UTC 2011
On Thu, Sep 22, 2011 at 04:33:00PM -0700, Matt Alexander wrote:
> Would it be possible to remove the vast majority of users from /etc/passwd
> and instead rely on the application being installed to create the specific
> user if needed? Most of the users appear to be historical remnants that
> have been carried over from release to release.
For almost everything, and certainly for the overwhelming majority of
new entries, we do exactly as you say. However, I (as base-passwd
maintainer) will not remove entries from the global static list unless
there is a very compelling reason to do so beyond cleaning up cruft;
packages are entitled to assume that they are present without declaring
any particular dependency and there's no reasonable way to know what
removing such entries would break.
In any case, there are only 18 entries in the global static list
(/usr/share/base-passwd/passwd.master), and even without thinking about
it too hard I know that at least four or five are still in use and
probably more, so there's not that much to be gained. All other system
entries in the passwd file are created dynamically by applications.
Since I took over base-passwd in 2002, I have added no new global static
users and only two new global static groups, the last of which was in
> In addition, for users in the passwd file that must be there, could you
> please set their shell to /usr/sbin/nologin?
Yes, I would like to do this eventually
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=184979 has to be fixed
first, otherwise everyone will have their upgrades interrupted by a
non-debconf prompt. I haven't had time to work on #184979 in quite a
number of years, and to the best of my knowledge nobody has ever
contributed a patch for it; I'd be happy to review one if somebody did
The one wart here is that using /usr/sbin/nologin will break anything
that runs commands as one of those users using the 'su' command. This
isn't theoretical; one of my packages used to do so some years ago,
although it now uses start-stop-daemon instead. The breakage is
probably worthwhile, I'll admit, but I can't say that there would be no
problems with changing those users' shell since there's been such a long
time for packages to get used to it being /bin/sh.
Colin Watson [cjwatson at ubuntu.com]
More information about the Ubuntu-devel-discuss