Consider hiding /sbin/nologin users by default.

[lruzicka]

Description

In my system (Fedora 40 KDE), I attempted to set up the PureFTP server and allow FTP connections to that machine. If I do not want to use my real system users, I can set up one global FTP user and have it cover all the virtual users inside the PureFTP. This global user, however, is a system user with disabled home directory and with disabled login, automatically, the user's ID is chosen as the lowest possible value AFTER other users, which results in the ID in the rank above 1000, being 1001 in my case.

SDDM will still show this user in the login screen, although the real person sitting behind the keyboard cannot use that user to login. This, I believe, should not be happening. This is always reproducible.

Steps to Reproduce

1. Install Fedora 40 KDE.
2. Open Konsole.
3. Add a new group for FTP
   groupadd ftpusers
4. Add a new user within this group, with login disabled
   useradd -g ftpusers -d /dev/null -s /sbin/nologin ftpuser
5. Reboot the computer and watch the SDDM login screen.

Actual Results

The user is shown at the SDDM login screen.

Expected Results

The user should not be shown at the SDDM login screen, because one can't log in is that user. Only users with enabled log ins should be shown at that screen. The GDM behaves correctly and does not show that user.

Consider, making it the default option.

More info

In the sddm.conf, there is a [Users] section that has a the HideShells option which is currently empty. When I change it to

HideShell=/sbin/nologin

that FTP user is not longer shown in SDDM which I think should be a default behaviour.

Also reported as https://bugzilla.redhat.com/show_bug.cgi?id=2273942

[C0rn3j]

Also wrongly reported here on KDE's tracker, by me.

[Vogtinator]

Can be done, but all user accounts not meant to be used by actual users should be created with useradd --system which puts their UID into the range already ignored by sddm.

[Vogtinator]

#1910, untested