I found this on the internet, while putting up a FTP server in FreeBSD.
Putting nologin into /etc/shells potentially creates a back door by
which those accounts can be used with FTP.
(see: http://osdir.com/ml/freebsd-questions/2005-12/msg02392.html)
Can anybody explain why this is? And why taking a copy of the nologin and putting that one in the /etc/shells resolves this problem?
Best Answer
/etc/shells
contains a list of binaries that the system considers (unrestricted) shells. That means that any user that has configured one of those binaries as their shell is assumed to have full access to the system (meaning they can execute any command, provided they have the appropriate permission).The most direct result is that they can use
chsh
to change their configured shell.If a user has a shell configured that isn't in this list, then the system assumes that he's somehow restricted. In the case of
chsh
it means that the user cannot change that value.Other programs might query that list and apply similar restrictions.
So by putting
nologin
in/etc/shells
you effectively say "any user that hasnologin
as its shell is considered a full, unrestricted user". That's almost certainly the exact opposite of whatnologin
was meant to say.