From 42408492610c827c249bcb461e1a9b50ad4c6aa6 Mon Sep 17 00:00:00 2001
From: David Schultz <das@FreeBSD.org>
Date: Mon, 17 Nov 2003 00:08:28 +0000
Subject: [PATCH] Document nologin(8) as being insecure in conjunction with a
 dynamic root and suggest alternatives.

---
 sbin/nologin/nologin.8     | 15 +++++++++++++++
 usr.sbin/nologin/nologin.8 | 15 +++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/sbin/nologin/nologin.8 b/sbin/nologin/nologin.8
index 7f8f9fff2877..0c452ff33535 100644
--- a/sbin/nologin/nologin.8
+++ b/sbin/nologin/nologin.8
@@ -59,3 +59,18 @@ The
 .Nm
 utility appeared in
 .Bx 4.4 .
+.Sh BUGS
+Login mechanisms that allow users to specify the initial environment,
+such as
+.Xr login 1
+and
+.Xr sshd 8 ,
+can be used to bypass
+.Nm .
+To avoid this possibility, you must use a different lockout mechanism
+such as
+.Xr login.conf 5
+or compile a statically-linked
+.Xr sh 1
+as described in
+.Xr make.conf 5 .
diff --git a/usr.sbin/nologin/nologin.8 b/usr.sbin/nologin/nologin.8
index 7f8f9fff2877..0c452ff33535 100644
--- a/usr.sbin/nologin/nologin.8
+++ b/usr.sbin/nologin/nologin.8
@@ -59,3 +59,18 @@ The
 .Nm
 utility appeared in
 .Bx 4.4 .
+.Sh BUGS
+Login mechanisms that allow users to specify the initial environment,
+such as
+.Xr login 1
+and
+.Xr sshd 8 ,
+can be used to bypass
+.Nm .
+To avoid this possibility, you must use a different lockout mechanism
+such as
+.Xr login.conf 5
+or compile a statically-linked
+.Xr sh 1
+as described in
+.Xr make.conf 5 .