14.04 upgrade changes login shells to /usr/sbin/nologin for some system users

Tom H tomh0665 at gmail.com
Mon Jun 16 11:18:40 UTC 2014

On Mon, Jun 16, 2014 at 5:15 AM, Adam Funk <a24061 at ducksburg.com> wrote:
> I upgraded my home server to 14.04 a few days ago. The upgrade
> process changed the login shells in /etc/passwd for several system
> users to '/usr/sbin/nologin'. I guess this is a security improvement?
> For the most part, it's fine, but the upgrade changed it for the
> 'news' user & that broke my leafnode installation, because the cron
> jobs are owned by root but use
> su news -c "commands..."
> to run. The curious thing is that my leafnode installation is
> compiled from the source, not installed using the package, so I
> don't see why the Ubuntu upgrader even knows about the news user. Any
> ideas?
> Also, will this happen again at the next upgrade, or is there anything
> I can configure now to prevent it?

It's a change that has filtered through from Debian after multiple
bugs were filed against Debian and Ubuntu to use nologin or something
similarly disabling as the shell of system users.

You should've had a debconf prompt about these changes (I'm somewhat
sure that I had one).

Do you have a backup "/etc/passwd.<something>" file?

I'm sure that the postinst of base-passwd will carry this change for a
long time and I doubt that it checks whether the users that are meant
to have nologin as their shell were installed by an Ubuntu package.

You could pin base-passwd and create a script to check regularly
whether there's a new version, if there is one, unpin base-passwd and
install the latest version, sed "/etc/passwd" to change the shell of
the news user, diff your changed passwd and a backup of your previous
one to make sure that you didn't change something that you didn't, and
repin base-passwd.

More information about the ubuntu-users mailing list