DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 4th June 2015
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 123
Default /usr/bin/false vs /sbin/nologin

Is there a difference bebetween these users? Apparently smb needs system accounts in addition to smb accounts and I need a no access.

Can someone please explain the difference or is there something even better?
Reply With Quote
  #2   (View Single Post)  
Old 4th June 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,381
Default

The man pages for each of these describe their uses. From false(1):
Code:
The false utility always exits with a non-zero exit code.
On OpenBSD /usr/bin/false is this shell executable:
Code:
#! /bin/sh
#    $OpenBSD: false.sh,v 1.2 1996/06/26 05:32:50 deraadt Exp $

exit 1
From nologin(1):
Code:
     nologin displays a message that an account is not available and exits
     non-zero.    It is intended as a replacement shell field for accounts that
     have been disabled.

     If the file /etc/nologin.txt exists, nologin displays its contents to the
     user instead of the default message.
And /sbin/nologin is a static binary. It's source code is attached below, in the event you wish to review it.
Code:
/*    $OpenBSD: nologin.c,v 1.5 2003/07/10 00:00:58 david Exp $    */

/*
 * Copyright (c) 1997, Jason Downs.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS
 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT,
 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#include <sys/types.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

/* Distinctly different from _PATH_NOLOGIN. */
#define _PATH_NOLOGIN_TXT    "/etc/nologin.txt"

#define DEFAULT_MESG    "This account is currently not available.\n"

/*ARGSUSED*/
int main(int argc, char *argv[])
{
    int nfd;
    ssize_t nrd;
    char nbuf[BUFSIZ];

    nfd = open(_PATH_NOLOGIN_TXT, O_RDONLY);
    if (nfd < 0) {
        write(STDOUT_FILENO, DEFAULT_MESG, strlen(DEFAULT_MESG));
        exit (1);
    }

    while ((nrd = read(nfd, nbuf, sizeof(nbuf))) != -1 && nrd != 0)
        write(STDOUT_FILENO, nbuf, nrd);
    close (nfd);

    exit (1);
}
Reply With Quote
  #3   (View Single Post)  
Old 4th June 2015
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 123
Default

Thanks! So when I create these system accounts for samba would you recommend that I create them with the false shell? Currently I do not see that as an option on adduser. Do I have to edit the /etc/passed?
Reply With Quote
  #4   (View Single Post)  
Old 4th June 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,381
Default

No, the script should never be used as a user's shell. It is only a script, and would need an operating shell to run.

Instead, use nologin, as that is what it is for. Review your /etc/passwd and see how frequently it is used.
Reply With Quote
  #5   (View Single Post)  
Old 4th June 2015
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 123
Default

Thanks again. You really help me a lot on this forum!!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Root Kit Or False Positive? MetalHead FreeBSD Security 4 7th June 2009 11:35 AM
Bypassing & detecting nonexistant home and nologin audio FreeBSD General 12 7th July 2008 11:24 PM


All times are GMT. The time now is 02:16 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick