Hi Benjamin, On Tue, Oct 28, 2025 at 12:13:35PM +0100, Benjamin Cathelineau wrote: > > This is my first feature request/ bug report, hopefully it's > sufficiently understandable and correct.
Thanks for the report! > I noticed that the ftpd daemon uses the getusershells() ( > https://man7.org/linux/man-pages/man3/getusershell.3.html) function during > authentication to check if the user has a valid shell. (ftpd/auth.c line > 126 in current inetutils-2.6) > > At a high level : > > - I understand that the /etc/passwd file ( > https://man7.org/linux/man-pages/man5/passwd.5.html) is checked first to > determine the user shell > > - And then the /etc/shells file is used (through the getusershells() > function) to see if the user shell is within the listed 'allowed' shells on > the systems As I understand the documentation of getusershell() [1], it has a built-in fallback to /bin/sh and /bin/csh if /etc/shells [2] does not exist or is not readable. [1]: https://man7.org/linux/man-pages/man3/getusershell.3.html [2]: https://man7.org/linux/man-pages/man5/shells.5.html > The documentation ( > https://www.gnu.org/software/inetutils/manual/inetutils.html#Authentication) > currently states that '3. The user must have a standard shell' > > I think the statement is completely correct, but I want to suggest a more > precise version. > Something like : > > """ > > 3. The user must have a standard shell : The getusershells function is used > during authentication to determine if the shell listed in /etc/passwd is > registered as valid in the system (in the /etc/shells). See getusershells > documentation for more informations. > > """ > > I suggest this modification because I struggled for many hours to figure > out that authentication was failing on my system due to the absence of this > file. Of course, this is not a bug, my system was not setup properly, but > the documentation could be improved. I concur that "standard shell" is a bit terse, as I would not have understood this to mean "usually listed in /etc/shells" either. I intend to push the attached patch soon, it expands point 3 of ftpd user authentication to: ``` 3. The user must have a standard shell. If the file '/etc/shells' exists and is readable, only programs listed there are considered standard shells. 'ftpd' uses the C library function 'getusershell' to enumerate standard shells. Standard shells are also known as valid login shells, valid user shells, or permitted user shells. ``` > I note that other daemon do not check for this file, as their > authentication wasn't failing on my system even tough the /etc/shells > file was absent. Without /etc/shells, both /bin/sh and /bin/csh should be accepted. > telenetd is in such case. This made this problem really difficult to > track down. Thanks you for the great software and kind regards. Yes, adding more details to the ftpd documentation should help. While I can update the Texinfo documentation, and the online documentation is created from this, AFAIK I cannot update the online documentation. Cheers, Erik
>From f216be6e7596d46b140393712543f653ce55d20b Mon Sep 17 00:00:00 2001 From: Erik Auerswald <[email protected]> Date: Sat, 8 Nov 2025 08:43:33 +0100 Subject: [PATCH] doc: explain what "standard shell" means for ftpd One part of ftpd user authentication is to check if the user has a so called "standard shell". But, it is no longer obvious what that actually is. The Linux man-pages project uses different names to designate a "standard shell", i.e., "valid login shell" when documenting /etc/shells, "permitted user shells" and "valid user shell" when documenting getusershell(), making it harder to figure this out. Expand ftpd user authentication step 3 by adding information about /etc/shells and getusershell(), and the different names used for "standard shell". * NEWS: Mention ftpd documentation improvement. * doc/inetutils.texi (ftpd invocation): Explain "standard shell" as used in the ftpd authentication rules. --- NEWS | 4 ++++ doc/inetutils.texi | 6 +++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 8ee1c7c7..789358a4 100644 --- a/NEWS +++ b/NEWS @@ -6,6 +6,10 @@ GNU inetutils NEWS -- history of user-visible changes. ** Fix link errors on Solaris 11 OmniOS. +** ftpd: Expanded documentation of user authentication rules. +Thanks to Benjamin Cathelineau, see +<https://lists.gnu.org/archive/html/bug-inetutils/2025-10/msg00000.html>. + * Noteworthy changes in release 2.6 (2025-02-21) [stable] ** The release tarball is now reproducible. diff --git a/doc/inetutils.texi b/doc/inetutils.texi index 675ace24..fd80d142 100644 --- a/doc/inetutils.texi +++ b/doc/inetutils.texi @@ -4078,7 +4078,11 @@ provided by the client before any file operations can be performed. The login name must not appear in the file @file{/etc/ftpusers}. @item -The user must have a standard shell. +The user must have a standard shell. If the file @file{/etc/shells} +exists and is readable, only programs listed there are considered standard +shells. @command{ftpd} uses the C library function @code{getusershell} +to enumerate standard shells. Standard shells are also known as valid +login shells, valid user shells, or permitted user shells. @item If the user name is @samp{anonymous} or @samp{ftp}, an anonymous ftp -- 2.34.1
