How to set a non-login non-interactive shell for a user?

ETC Homework & Coursework Questions
1

I am sorry for creating a new topic after my previous inquiry was closed, but I tried and tried and I do not know how to edit my previous post. This is not exactly any homework, this is one of 40 questions we were expected to prepare for one of the labs. I searched and read what I could and still do not know the answer to this problem.

  1. The problem statement, all variables and given/known data:
    I am a root in a Unix system. My shell is bash.

  2. Relevant commands, code, scripts, algorithms:
    How to set for a certain user:

  • a non-login interactive shell,
  • a login, non-interactive shell,
  • a non-login, non-interactive shell.
  1. The attempts at a solution (include all code and scripts):
    I read everything I could find, I only found information which files are read by different types of shells. I cannot find anywhere how to change a shell for a user to make it:
  • noninteractive and non-login,
  • non-interactive and login,
  • interactive and non-login.

What I know:
I can use useradd or adduser with -s option to set a certain shell, but I do not know what to write after this option.
I know that I can edit /etc/passwd file and for a certain user change the last column to /bin/non-login. I do not know what shell version I get if I do it. It will be non-login allright but interactive or non-interactive?

  1. Complete Name of School (University), City (State), Country, Name of Professor, and Course Number (Link to Course):
    name: Akademia G�rniczo-Hutnicza w Krakowie
    city: Cracow
    country: Poland,
    Name of Professor: Grzegorz Nalepa, Krzysztof Kluza

Link to the course (I was not allowed by some mechanism on this website to post any URLs but I am required to do so by the formular therefore I re-wrote the link to the course that the site does recognise that it is a URL: [eidz ti ti pi colon slash slash ai dot ia dot agh dot edu dot pl slash wiki slash pl colon dydaktyka colon unix colon start ]

We do not use numbers for the courses so I cannot provide any course number. It is called Introduction to Unix (Wstp do system�w Unix).

4

While I've some difficulty understanding the problem (item 2. in post #1), let me try to clarify some things:
On a system, you have login users (A) and non-login users (B). And, you have interactive (C) and non-interactive (D) access.
Combinations:
A+C is the normal user, logged in via a terminal (his interaction tool).
A+D can be a background process run by a logged in user, supplying the -l option to e.g. bash.
B+C would be an interactive shell run as a subprocess / subshell by an application.
B+D could be a service or a daemon started at boot time and running under a B user.

The command /usr/sbin/nologin (/bin/non-login I do not know about) is NOT a shell, but it prevents the respective user to log in.
Shells are command line interpreters (CLI) that enable the user to interact with the system. If your system has /ets/shells , list that to see some available shells:

linux:
/bin/sh
/bin/dash
/bin/bash
/bin/rbash
or (Free)BSD:
/bin/csh
/bin/tcsh
/usr/local/bin/bash
/usr/local/bin/rbash
2 Likes
5

About how to create or change such a user, you can read into:

man useradd
man usermod

hth

6

So If I understand correctly I cannot change a certain user's shell to non-interactive and/or no-login one. The only thing I can do is to change its shell to /etc/nologin to prevent this user's logging-in. So this is why I could not find the answer to my problem anywhere - such an answer does not exist :).
My homework question was about using chsh command in the non-interactive mode (Can one use chsh command in the non-interactive mode?).. I thought it was about setting a certain's user shell to a non-interactive mode. I see now that I was wrong in understanding this question. Thank you so much for making me see this/

7

Ok... it gets sort of shell specific. Shells will source in certain files if the are "interactive".... however, some shell allow you to override that... With that said, often time trying to override it will break things... so for example if somebody does:

ssh noninteractiveuser@somemachine.com sh -i

Which is fairly generic and pretty portable... you'd get this weird pseudotty-less interactive session on the remote host. It may error, and of course, it won't work like a true interactive shell... and note, other things won't work right without a tty.... so it's "ok" and a common hackers way to get an almost interactive session going.

But... since Linux has effectively stomped Unix into the ground, we can assume that all shells are bash nowadays :-). If so, the shell variable dash (e.g. $-) will contain attributes enabled on the shell... if it contains an "i" then the shell is interactive. So, in the case of our hack attempt above, you won't get an "i" in the string returned.

So... can you set a user up as a non-interactive user? I hope you can see the answer is yes and if using bash, you may even be able to circumvent typical ways of getting around it (but probably not every way).

The rest is left as an exercise for the reader.... can't give you all the answers!!

---------- Post updated at 04:05 PM ---------- Previous update was at 03:56 PM ----------

I'm feeling generous...

Put this into the .bashrc of the user:

echo "$-" | grep 'i' && exit 0

---------- Post updated at 04:14 PM ---------- Previous update was at 04:05 PM ----------

aack... it's buggy... not well thought out... the sh -i trick works against it. But anyway, probably will lead you to a solution.

---------- Post updated at 04:28 PM ---------- Previous update was at 04:14 PM ----------

Ok... scrap class... anyone know of a way to circumvent ssh ... sh -i and make that not work? I smell a vulnerability in bash.