/etc/nologin must be world-readable which is not totally clear
Darren Tucker
dtucker at zip.com.au
Tue Jan 12 12:24:20 EST 2010
On Mon, Jan 11, 2010 at 12:46:05PM +0100, Jan Pechanec wrote:
> hi, the man page for sshd(1) says about /etc/nologin: "The file
> should be world-readable". However, nologin has no effect if it's not
> readable by the connecting user:
I agree that the existence of an unreadable /etc/nologin should prevent
logins since it's pretty clear that's the admin's intent, so it's a bug
in the code not the docs.
The simple solution is to check errno for EPERM. I'm about to apply the
following patch which should cover it.
Index: session.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/session.c,v
retrieving revision 1.249
diff -u -p -r1.249 session.c
--- session.c 20 Nov 2009 00:15:41 -0000 1.249
+++ session.c 12 Jan 2010 00:27:21 -0000
@@ -1105,10 +1105,12 @@ do_nologin(struct passwd *pw)
if (!login_getcapbool(lc, "ignorenologin", 0) && pw->pw_uid)
f = fopen(login_getcapstr(lc, "nologin", _PATH_NOLOGIN,
_PATH_NOLOGIN), "r");
- if (f) {
+ if (f != NULL || errno == EPERM) {
/* /etc/nologin exists. Print its contents and exit. */
logit("User %.100s not allowed because %s exists",
pw->pw_name, _PATH_NOLOGIN);
+ if (f == NULL)
+ exit(254);
while (fgets(buf, sizeof(buf), f))
fputs(buf, stderr);
fclose(f);
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list