Change named shell to /bin/false

Related: rhbz#1569466
Signed-off-by: Petr Menšík <pemensik@redhat.com>

bind.spec

@@ -126,6 +126,9 @@ Requires(preun):  systemd
 Requires(postun): systemd
 Requires:       coreutils
 Requires(pre):  shadow-utils
+Requires(post): shadow-utils
+Requires(post): glibc-common
+Requires(post): grep
 Requires:       bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
 Obsoletes:      bind-config < 30:9.3.2-34.fc6
 Provides:       bind-config = 30:9.3.2-34.fc6
@@ -925,20 +928,25 @@ install -m 644 %{SOURCE43} ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d/named
 %pre
 if [ "$1" -eq 1 ]; then
   /usr/sbin/groupadd -g %{bind_gid} -f -r named >/dev/null 2>&1 || :;
-  /usr/sbin/useradd  -u %{bind_uid} -r -N -M -g named -s /sbin/nologin -d /var/named -c Named named >/dev/null 2>&1 || :;
+  /usr/sbin/useradd  -u %{bind_uid} -r -N -M -g named -s /bin/false -d /var/named -c Named named >/dev/null 2>&1 || :;
 fi;
 :;
 
 %post
 %?ldconfig
-%systemd_post named.service
 if [ "$1" -eq 1 ]; then
   # Initial installation
   [ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.* /etc/named.* >/dev/null 2>&1 ;
   # rndc.key has to have correct perms and ownership, CVE-2007-6283
   [ -e /etc/rndc.key ] && chown root:named /etc/rndc.key
   [ -e /etc/rndc.key ] && chmod 0640 /etc/rndc.key
+else
+  # Upgrade, use invalid shell
+  if getent passwd named | grep ':/sbin/nologin$' >/dev/null; then
+    usermod -s /bin/false named
+  fi
 fi
+%systemd_post named.service
 :;
 
 %preun
@@ -1401,6 +1409,7 @@ rm -rf ${RPM_BUILD_ROOT}
 %changelog
 * Fri May 25 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-9
 - Make named home writeable (#1422680)
+- Change named shell to /bin/false
 
 * Fri May 25 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-8
 - Require C++ on build when shipped atf library is used