Bug 28224

Summary: ftpd doesn't honor invalid shelll in login class
Product: Base System Reporter: xaa <xaa>
Component: binAssignee: Yar Tikhiy <yar>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 5.0-CURRENT   
Hardware: Any   
OS: Any   

Description xaa 2001-06-17 08:30:03 UTC 
   a user in a login class with an invalid shell (think 'lockout class')
   can ftp to his account without any trouble.

Fix: 

The old patch might still apply, but anyway, the idea is clear:

patch to libexec/ftpd.c

     772a773,775
     > #ifdef LOGIN_CAP
     >       login_cap_t *lc = NULL;
     > #endif
     811a815,825
     > #ifdef LOGIN_CAP
     >               lc = login_getpwclass(pw);
     >               if (lc == NULL) {
     >                       if ((shell = pw->pw_shell) == NULL || *shell == 0)
     >                               shell = _PATH_BSHELL;
     >               } else {
     >                       shell = login_getcapstr(lc, "shell", pw->pw_shell, pw->pw_shell);
     >                       if (shell==NULL || *shell == 0)
     >                               shell = _PATH_BSHELL;
     >               }
     > #else
     813a828
     > #endif
How-To-Repeat:    create lockoutclass with /usr/bin/false as shell, change user to that
   class, ftp to his account
Comment 1 Kris Kennaway freebsd_committer freebsd_triage 2003-07-13 02:22:59 UTC 
Responsible Changed
From-To: freebsd-bugs->yar

Assign to ftpd maintainer
Comment 2 Yar Tikhiy freebsd_committer freebsd_triage 2004-10-30 17:26:16 UTC 
State Changed
From-To: open->closed

The "shell" string in login.conf isn't for locking users out. 
Please see the "pw lock" command and how it works--that command 
is the recommended way of locking users out in FreeBSD.