[Dovecot] Userdb passwd and 'nologin' users

Ben Morrow ben at morrow.me.uk
Fri Feb 1 20:37:46 EET 2013


At  4AM +0100 on  1/02/13 you (Daniel Parthey) wrote:
> Hi Ben,
> 
> Ben Morrow wrote:
> > +        if (set->check_nologin) {
> > +                /* skip entries that don't have a valid shell.
> > +                   they're again probably not real users. */
> > +                if (strcmp(pw->pw_shell, "/bin/false") == 0 ||
> > +                    strcmp(pw->pw_shell, "/sbin/nologin") == 0 ||
> > +                    strcmp(pw->pw_shell, "/usr/sbin/nologin") == 0)
> > +                        return FALSE;
> > +        }
> 
> Valid shells are defined in /etc/shells and "locked" users, I would
> strongly discourage from hardcoding a list of no-login shells here.

That list isn't mine, my patch just moves that code from one part of the
file to another and makes it conditional. Personally I don't think
checking the shell is sensible at all, which is why I'm trying to make
it optional.

> Users locked with "passwd -l" can also be detected by a ! at
> the beginning of the password hash.

That is system-specific, and in any case you have to be root (and on
non-BSD systems you have to make a shadow password call) to see the
password field. The userdb shouldn't be doing that: locked users will
already be prevented from logging in with a password because the
password won't match. (Of course, this doesn't cover e.g. Kerberos
logins, though I would usually lock a Kerberos user by telling the KDC
not to issue tickets rather than by locking the passwd account.)

Ben




More information about the dovecot mailing list