/etc/nologin must be world-readable which is not totally clear
Ben Lindstrom
mouring at eviladmin.org
Tue Jan 12 01:53:00 EST 2010
Could have swore I filed one a few years ago on this when it was brought to my attention. Maybe I didn't, since I can't find it.
- Ben
On Jan 11, 2010, at 5:46 AM, Jan Pechanec wrote:
>
> hi, the man page for sshd(1) says about /etc/nologin: "The file
> should be world-readable". However, nologin has no effect if it's not
> readable by the connecting user:
>
> if (pw->pw_uid)
> f = fopen(_PATH_NOLOGIN, "r");
>
> if (f) {
> /* /etc/nologin exists. Print its contents and exit. */
> ...
> ...
> return(254)
>
> if root has a stricter mask than 022 it can easily happen that
> /etc/nologin can have 0600 permissions, for example. The user would not
> be able to send the file's contents anyway but he/she can login. It can
> lead to situations that login is assumed to be prohibited to non-root
> users when it is not.
>
> I can file a bug in bugzilla and send a patch if you agree that
> it should be fixed. If this behaviour should be preserved, I suggest to
> update the man page, it should read "The file must be world-readable" in
> that case.
>
> cheers, J.
>
> --
> Jan Pechanec
> http://blogs.sun.com/janp
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list