Ubuntu
lighttpd package

Lighttpd enables a login shell for user www-data

Bug #216813 reported by Sölvi Páll Ásgeirsson
2
Affects Status Importance Assigned to Milestone
base-passwd (Ubuntu)
Fix Released
Medium
Unassigned
lighttpd (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: lighttpd

I'm using Ubuntu 7.10/amd64, this report regards lighttpd 1.4.18-1ubuntu1.3.
The package creates the user www-data, which lighttpd is run as.
However, the www-data user, by default, has the login shell /bin/sh.
I can see no reason why this user has a valid login shell, instead of /bin/false.

Revision history for this message
Stephan Rügamer (sruegamer) wrote :

this bug against lighty is invalid, because the bugger actually is base-passwd.

Colin, any reasoning why we have to create those accounts with /bin/sh and not /bin/false or whatever is reasonable to not have an open shell by accident?

regards,

\sh

Changed in lighttpd:
status: New → Invalid
Changed in base-passwd:
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Colin Watson (cjwatson) wrote :

This is well-known, but I want to be extremely careful not to break anything, and base-passwd has to be converted to debconf prompting before this can be changed, otherwise it will cause terminal prompts for everyone. Please do not change this in an Ubuntu-specific upload.

Revision history for this message
Colin Watson (cjwatson) wrote :

The specific possibility for breakage that comes to mind is maintainer scripts that drop privileges from root to the users in question using su(1). That breaks if the shell is changed to /bin/false.

Colin Watson (cjwatson)
Changed in base-passwd:
status: Confirmed → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package base-passwd - 3.5.30

---------------
base-passwd (3.5.30) unstable; urgency=medium

  [ Colin Watson ]
  * Remove config.h.in and configure, now autogenerated by dh-autoreconf.
  * Change the shell of all global static users other than root (which
    retains /bin/sh) and sync (as /bin/sync is rather harmless) to
    /usr/sbin/nologin (closes: #274229; LP: #216813, #248844).
  * Policy version 3.9.5.

  [ Russ Allbery ]
  * Add support for debconf prompting to update-passwd (closes: #184979).

 -- Colin Watson <email address hidden> Tue, 07 Jan 2014 15:41:06 +0000

Changed in base-passwd (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.