14.04 upgrade changes login shells to /usr/sbin/nologin for some system users

Adam Funk a24061 at ducksburg.com
Wed Jun 18 12:51:25 UTC 2014


On 2014-06-16, Tom H wrote:

> On Mon, Jun 16, 2014 at 5:15 AM, Adam Funk <a24061 at ducksburg.com> wrote:
>>
>> I upgraded my home server to 14.04 a few days ago. The upgrade
>> process changed the login shells in /etc/passwd for several system
>> users to '/usr/sbin/nologin'. I guess this is a security improvement?
>>
>> For the most part, it's fine, but the upgrade changed it for the
>> 'news' user & that broke my leafnode installation, because the cron
>> jobs are owned by root but use
>> su news -c "commands..."
>> to run. The curious thing is that my leafnode installation is
>> compiled from the source, not installed using the package, so I
>> don't see why the Ubuntu upgrader even knows about the news user. Any
>> ideas?
>>
>> Also, will this happen again at the next upgrade, or is there anything
>> I can configure now to prevent it?
>
> It's a change that has filtered through from Debian after multiple
> bugs were filed against Debian and Ubuntu to use nologin or something
> similarly disabling as the shell of system users.

I guess this is a security thing.  Is the sole purpose of most of the
system users just to act as placeholders for file ownership?
(Obviously they're not intended to be used to run cron jobs with
'nologin'.)



> You should've had a debconf prompt about these changes (I'm somewhat
> sure that I had one).
>
> Do you have a backup "/etc/passwd.<something>" file?
>
> I'm sure that the postinst of base-passwd will carry this change for a
> long time and I doubt that it checks whether the users that are meant
> to have nologin as their shell were installed by an Ubuntu package.
>
> You could pin base-passwd and create a script to check regularly
> whether there's a new version, if there is one, unpin base-passwd and
> install the latest version, sed "/etc/passwd" to change the shell of
> the news user, diff your changed passwd and a backup of your previous
> one to make sure that you didn't change something that you didn't, and
> repin base-passwd.

Thanks, but I think I'll just suck it up & put "check news user's
shell in /etc/passwd" in my text file of upgrading notes.





More information about the ubuntu-users mailing list