Nagios Support Forum

As per NCPA 3.2.2 changelog: Update login shell for nagios user on Linux systems to /sbin/nologin for improved security.

1. On systems with NCPA already installed, after upgrading to 3.2.2, the nagios user remains /bin/sh, shouldn't the upgrade perform a usermod to set /sbin/nologin?

2. nologin canonical path on modern Linux distributions is /usr/sbin/nologin, and though /sbin/nologin most likely is synlinked, not all distros have both. Setting /sbin/nologin will still deny the login, but for the wrong reason. Perhaps a logical check is required to set /usr/sbin/nologin if identified (assume the upgrade performs a usermod)?

Hi @TBT,

Thank you for the feedback and suggestions. We did choose not to modify existing nagios users for reasons that @yearlysilk pointed out, mainly that some users may be using the nagios user for whatever reasons, in their existing solutions and we did not want to break that. I agree that it might be worth adding a warning in future upgrades that the nagios user has a login shell.

As for your second point, I agree with you that we should probably be using /usr/sbin/nologin instead of relying on the /sbin -> /usr/sbin symlink, as this may not exist in the future or currently on a handful of distros. We did test this change on the most recent few versions of CentOS, RedHat, Oracle, Debian, and Ubuntu and found the /sbin -> /usr/sbin symlink to exist but this could probably change at any time in the future.

Regarding nologin, a warning (if not set), and prompt to make the change (usermod) would be ideal in my opinion.