eil's questions -ubuntu

eil

Asked: 2020-04-21 14:36:18 +0800 CST

What is the correct way to allow accounts without passwords to chsh?

I hope I have phrased this question correctly, it's a bit of an odd one.

I have an Ubuntu 18.04 host with many users on it. All of the users log into their account on the host via SSH public key. All accounts have no password. This means that the /etc/shadow entry for every user is !. (I do not mean to imply that any account has an empty password, which would mean anyone could enter a username and then hit Enter at the password prompt to log in. An account with no password and an account with an empty password are very different things!)

With this situation, users are unable to set a password for their account with passwd because changing your password requires entering the current one which they can't do. This is actually fine.

However, another thing they can't do is change their shell because doing this requires entering a password, which the accounts don't have.

One solution I found suggests replacing required with sufficient in this line in /etc/pam.d/cshs:

# This will not allow a user to change their shell unless
# their current one is listed in /etc/shells. This keeps
# accounts with special shells from changing them.
auth       required   pam_shells.so

This works but my concerns with this are:

I don't understand why this works in my case because users' shells are already in /etc/shells. So why does modifying this suddenly allow users to use chsh without a password? (To be clear, in all cases, the users' current shells and desired shells are both listed in /etc/shells.)
I don't necessarily want service accounts to be able to change their own service-specific shells although this isn't quite as important.

I feel like this is something than can be solved by PAM in a more elegant way, somehow.

eil

Asked: 2019-06-21 12:27:20 +0800 CST

Strange sysctl behavior on Ubuntu Server 18.04

Let's say I have an Ubuntu bionic server that I wish to disable IPv6 on. (Important: This is not an XY Problem, please don't guess at what I'm trying to achieve or ask me why I want to do this. I know how great and wonderful IPv6 is, no need to preach to the choir.) One way to do this is to set the following sysctls:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

When sysctl is run manually with the settings above, this disables all IPv6 networking on the host:

# ip -6 a
#

Great, but that doesn't persist through a reboot. The recommended way to make sysctls persist is to put them in /etc/sysctl.conf, or a file in /etc/sysctl.d. I did that, but after a reboot, IPv6 is still there:

# ip -6 addr
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 <censored>/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 2591985sec preferred_lft 604785sec
    inet6 fe80::250:56ff:feae:c158/64 scope link 
       valid_lft forever preferred_lft forever

And yet, the sysctls appear to be correctly set:

# sysctl net.ipv6.conf.all.disable_ipv6 net.ipv6.conf.default.disable_ipv6 net.ipv6.conf.lo.disable_ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

However when I set them on the command line, to the same value, suddenly IPv6 is actually disabled:

# sysctl -w net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
# ip -6 addr
#

So my question, then, is: Why does setting sysctls to specific non-default values in /etc/sysctl.d/ appear to be doing something according to the output of sysctl itself, and yet not actually affecting the kernel's behavior? Is there some subtle difference between setting a sysctl and having it take effect?

I know that sysctl is an interface for /proc/sys but I am seeing the same thing there as well:

# cat /proc/sys/net/ipv6/conf/all/disable_ipv6 
1
# ip -6 a
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 <censored>/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 2591945sec preferred_lft 604745sec
    inet6 fe80::250:56ff:feae:c158/64 scope link 
       valid_lft forever preferred_lft forever
# echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
# ip -6 a
#

Also, I have done significant research into this, this question is NOT a dupe of any of these:

What is the correct way to allow accounts without passwords to chsh?

Strange sysctl behavior on Ubuntu Server 18.04

How to install Google Chrome

Is there a command to list all users? Also to add, delete, modify users, in the terminal?

How to delete a non-empty directory in Terminal?

How to unzip a zip file from the Terminal?

How can I copy the contents of a folder to another folder in a different directory using terminal?

How do I install a .deb file via the command line?

How do I run .sh scripts?

How do I install a .tar.gz (or .tar.bz2) file?

How to list all installed packages

Unable to lock the administration directory (/var/lib/dpkg/) is another process using it?