Bug 238559

Summary: sysutils/bareos-client: installs passwordless
Product: Ports & Packages Reporter: O. Hartmann <ohartmann>
Component: Individual Port(s)Assignee: Jose Alonso Cardenas Marquez <acm>
Status: Open ---    
Severity: Affects Many People Keywords: needs-qa
Priority: --- Flags: bugzilla: maintainer-feedback? (acm)
Version: Latest   
Hardware: Any   
OS: Any   

Description O. Hartmann 2019-06-14 10:56:14 UTC
Prts tree is at r504068. Installation of port sysutils/bareos-client installs a user on the local machine with a potential risc due to the lack of a password or an explicite account lock. vipw reveals after installation this row:

bareos::997:997::0:0:Bareos Daemon:/var/db/bareos:/usr/sbin/nologin

which should be

bareos:*:997:997::0:0:Bareos Daemon:/var/db/bareos:/usr/sbin/nologin

(the asterisk!).
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2019-06-14 11:06:59 UTC
This port only uses the ports framework provided method to add users/groups:

USERS=          bareos
GROUPS=         ${USERS}

As such it is unlikely an issue, but if so, an issue that would affect every port that uses it.

Further, note that the user account has the shell set to /usr/sbin/nologin

man 8 nologin shows:

DESCRIPTION
     The nologin utility displays a message that an account is not available
     and exits non-zero.  It is intended as a replacement shell field for
     accounts that have been disabled.