[Dovecot] Userdb passwd and 'nologin' users
Ben Morrow
ben at morrow.me.uk
Fri Feb 1 20:37:46 EET 2013
At 4AM +0100 on 1/02/13 you (Daniel Parthey) wrote:
> Hi Ben,
>
> Ben Morrow wrote:
> > + if (set->check_nologin) {
> > + /* skip entries that don't have a valid shell.
> > + they're again probably not real users. */
> > + if (strcmp(pw->pw_shell, "/bin/false") == 0 ||
> > + strcmp(pw->pw_shell, "/sbin/nologin") == 0 ||
> > + strcmp(pw->pw_shell, "/usr/sbin/nologin") == 0)
> > + return FALSE;
> > + }
>
> Valid shells are defined in /etc/shells and "locked" users, I would
> strongly discourage from hardcoding a list of no-login shells here.
That list isn't mine, my patch just moves that code from one part of the
file to another and makes it conditional. Personally I don't think
checking the shell is sensible at all, which is why I'm trying to make
it optional.
> Users locked with "passwd -l" can also be detected by a ! at
> the beginning of the password hash.
That is system-specific, and in any case you have to be root (and on
non-BSD systems you have to make a shadow password call) to see the
password field. The userdb shouldn't be doing that: locked users will
already be prevented from logging in with a password because the
password won't match. (Of course, this doesn't cover e.g. Kerberos
logins, though I would usually lock a Kerberos user by telling the KDC
not to issue tickets rather than by locking the passwd account.)
Ben
More information about the dovecot
mailing list