With the new accountsservice, I see three users that are not filtered anymore because they don't have nologin or false as login shell: ftp, games and man.
Can we add them to the default blacklist (default_excludes in daemon.c)? On a Debian system I have, I see that at least games and man are there too, with /bin/sh as login shell, so it doesn't just affect openSUSE, I guess.
we started getting complaints about the mysql users in fedora too:
Would the proposed solution there ^ work for you cases (looking at the shadow file and filtering out users with "!!" passwords
i'm don't really mind expanding the blacklist. I'd just like to find a more scalable solution I guess.
pushed a change to add ftp, games, man, and mysql to the blacklist
err tried, git.freedesktop.org is down apparently.
(In reply to comment #1)
> Would the proposed solution there ^ work for you cases (looking at the shadow
> file and filtering out users with "!!" passwords
I don't really like the idea of opening /etc/shadow, to be honest :-) But otherwise, no objection. Hrm, the users have "*" passwords here, not "!!". Which is slightly different (and unfortunate, as iirc, "*" just means no password while "!!" means no login at all).
Created attachment 60234 [details] [review]
Also exclude "at" user
Another user reported the issue with "at"...
pushed, though turns out we already do the /etc/shadow snooping, so we just need to change it to be less specific about what it excludes.
(In reply to comment #7)
> pushed, though turns out we already do the /etc/shadow snooping, so we just
> need to change it to be less specific about what it excludes.
Allesio has reverted the commit for now, which drops the filtering based on MIN_UID.
okay i pushed this:
daemon: be more aggresive at excluding system accounts
system accounts sometimes have valid shells, so checking for
a valid shell isn't the best way to avoid showing those accounts.
This commit changes accountsservice to exclude accounts that have
a password hash that doesn't match one of the standard formats.
So i'm going to close this bug out.