user nobody and test suites

Bruce Dubbs bruce.dubbs at gmail.com
Sun Mar 25 19:19:23 PDT 2007


Dan Nicholson wrote:
> On 3/25/07, Bruce Dubbs <bruce.dubbs at gmail.com> wrote:
>> Dan Nicholson wrote:
>>> On 3/25/07, Robert Connolly <robert at linuxfromscratch.org> wrote:
>>>> I dunno if any of you have tried it, but we can use nobody for the Coreutils
>>>> tests. Add "nogroup" and "nobody" to /etc/group, and "nobody" in /etc/passwd
>>>> in the "nobody" group. For the src/su command, add '-s /bin/sh' so
>>>> that /bin/false won't be used.
>>> That seems fine to me.
>> I don't agree.  The nobody user should never have a valid login shell or
>> home directory.  If a temporary user is needed for the Coreutils tests,
>> add a temp user and then as the INSTALL file says, `sudo env
>> NON_ROOT_USERNAME=$USER make -k check`.  Delete the temp user when done.
> 
> If I understand Robert correctly, the nobody user doesn't have to have
> a valid home directory or login shell. He's just saying to execute su
> -s /bin/bash ... so that /bin/false isn't used. You can does this
> anyway right now.
> 
> # grep ^nobody /etc/passwd
> nobody:x:99:99:unprivileged nobody:/dev/null:/bin/false
> # su -s /bin/bash nobody -c "echo no home directory needed"
> no home directory needed
> 
> Oh, we already create nobody:nobody in LFS, so we could do this right now.

I see.  I withdraw my objection.

>>>> I'd also like to suggest we use /sbin/nologin (from Shadow), instead
>>>> of /bin/false. 'nologin' is the same as 'false', except it gives a polite
>>>> message explaining the account is suspended. It's intended for login
>>>> accounts, while /bin/false is intended for everything else.
>>> Also seems fine to me, but I have no idea what the
>>> history/implications of that change would be.
>> Using /sbin/nologin to give a "polite" message for accounts that should
>> *never* be tried is overkill.  To me, its not an accident and users
>> trying that don't need or deserve courtesy.  I prefer /bin/false.
>>
>> That said, it doesn't make a practical difference.
> 
> Sure. Maybe it's worth a mention that system users get /bin/false but
> that /sbin/nologin can also be used. In fact, I don't think that the
> /dev/null home directory, /bin/false login shell is currently
> explained anywhere in LFS or BLFS. The discussion would be good even
> if we don't change the current situation. I know it seemed strange to
> me the first time I saw one of those entries in passwd.

Additional explanation in chapter06/createfiles.html would never be a
bad thing.

  -- Bruce



More information about the lfs-dev mailing list