Portable value for PATH_NOLOGIN.

ChangeLog

@@ -1,3 +1,10 @@
+2013-06-11  Mats Erik Andersson  <gnu@gisladisker.se>
+
+	* paths (PATH_NOLOGIN): Change default value to
+	`/etc/nologin' for best portability.
+	* README: Add some observations on hard-coded
+	file locations.
+
 2013-06-11  Mats Erik Andersson  <gnu@gisladisker.se>
 
 	ftpd: Erroneous access check.

README

@@ -12,6 +12,7 @@ distribution, and rules to find values for them.  To change a path
 PATH_FOO, you may either tell configure, by using
 `--with-path-foo=VALUE' (where VALUE may contain references to make
 variables such as `$(bindir)'), or edit the `paths' file.
+See further below for some important cases.
 
 If you wish to build only the clients or only the servers, you may
 wish to use the --disable-servers or --disable-clients options when
@@ -30,9 +31,9 @@ also does not have a complete list of whois servers; feel free to send
 information about additional whois servers to the bug reporting
 address.
 
-Notes:
+Notes on setuid-executables:
 
-1) All of the r* client commands, 'rcp', 'rlogin', 'rsh', used to
+ - All of the r* client commands, 'rcp', 'rlogin', 'rsh', used to
    need to be installed as setuid root to work correctly, since
    they use privileged ports for communication.  However, some
    modern operating systems now offer capabilities that avoid
@@ -40,11 +41,47 @@ Notes:
    our present code.  CAP_NET_BIND_SERVICE and PRIV_NET_PRIVADDR
    are relevant for the above three programs.
 
-2) Similarly, 'ping', 'ping6', and 'traceroute', used to depend
+ - Similarly, 'ping', 'ping6', and 'traceroute', used to depend
    on setuid installation, but also these are now content with
    capabilities like CAP_NET_RAW, PRIV_NET_ICMPACCESS, and
    PRIV_NET_RAWACCESS.
 
+Notes on hard-coded file locations:
+
+ - Some of the buildable executables depend critically on
+   hard-coded file locations for correct execution.  The most
+   important, where care is needed, are highlighted below.
+
+ - `ftpd' needs access to several configuration files, in order
+   that all use cases be covered.  Both of PATH_FTPCHROOT and
+   PATH_FTPWELCOME are normally positioned correctly in sysconfdir
+   by default, whereas PATH_FTPUSERS usually is desired to state
+   `/etc/ftpusers', but not all systems manage this.  Particular
+   care should be given to PATH_FTPLOGINMESG, since it defaults
+   to `/etc/motd', which cannot be claimed as universally ideal.
+   A sensible counter measure could be
+
+     ./configure --with-path-ftploginmesg='$(sysconfdir)/ftpmotd'
+
+   This would, however, complicate matter for chrooted users,
+   so a minor variation on the default could be preferable:
+
+     ./configure --with-path-ftploginmesg=/etc/ftpmotd
+
+   Finally, the fall-back value `/etc/nologin' for PATH_NOLOGIN
+   is in effect for every systems lacking <paths.h>, but this
+   sets the most plausible location in any case.
+
+ - `rcp' relies on PATH_RSH for proper hand-over.  Use the
+   configuration switch `--with-path-rsh=VALUE' for overriding
+   the detected value.  It should point to the intended location
+   of `rsh', particularly when built with Kerberos support.
+
+ - Similarily, `rsh' needs PATH_RLOGIN to locate `rlogin' for
+   correct delegation.  The switch `--with-path-rlogin=VALUE'
+   may come handy to ensure that `rsh' as well as `rlogin'
+   offer identical Kerberos support.
+
 Some known deficiencies:
 
  - Non-Shishi Kerberos support does not build.  Patches welcome.

paths

@@ -94,7 +94,7 @@ PATH_LOGCONF	$(sysconfdir)/syslog.conf
 PATH_LOGCONFD	$(sysconfdir)/syslog.d
 PATH_LOGIN	x $(bindir)/login search:login
 PATH_LOGPID	$(localstatedir)/run/syslog.pid
-PATH_NOLOGIN	$(sysconfdir)/nologin
+PATH_NOLOGIN	/etc/nologin
 PATH_RLOGIN	x $(bindir)/rlogin
 PATH_RSH	x $(bindir)/rsh
 PATH_TMP	d /tmp/