bug#40550: zsh: sudo is not setuid

bug#40550: zsh: sudo is not setuid

[Alexandru-Sergiu Marton]

Hi,

I changed my default shell to zsh with the following line added to
my user-account record in my config.scm:

(shell #~(string-append #$zsh "/bin/zsh"))

After reconfiguring the system and rebooting, when I try to run sudo or
su (I guess this problem appears for every thing in %setuid-programs), I
get a message saying it isn't actually a setuid program.

I'm writing this from a reconfigured system started at the same point as
the zsh one started, but with bash. Here I don't have that problem --
setuid programs work as expected.

Steps to reproduce:
- $ guix pull
- Change the default shell to zsh in your config.scm, as presented
  above.
- $ sudo guix system reconfigure config.scm
- Reboot.
- Try to run sudo or su. It should give you an error.

Cheers,
Sergiu

bug#40550: zsh: sudo is not setuid

[Efraim Flashner]

[-- Attachment #1: Type: text/plain, Size: 2741 bytes --]

On Sat, Apr 11, 2020 at 01:10:17PM +0300, Alexandru-Sergiu Marton wrote:
> Hi,
> 
> I changed my default shell to zsh with the following line added to
> my user-account record in my config.scm:
> 
> (shell #~(string-append #$zsh "/bin/zsh"))
> 
> After reconfiguring the system and rebooting, when I try to run sudo or
> su (I guess this problem appears for every thing in %setuid-programs), I
> get a message saying it isn't actually a setuid program.
> 
> I'm writing this from a reconfigured system started at the same point as
> the zsh one started, but with bash. Here I don't have that problem --
> setuid programs work as expected.
> 
> Steps to reproduce:
> - $ guix pull
> - Change the default shell to zsh in your config.scm, as presented
>   above.
> - $ sudo guix system reconfigure config.scm
> - Reboot.
> - Try to run sudo or su. It should give you an error.

Do you have sudo installed in a profile? /run/setuid-programs/sudo
should be the first 'sudo' in your PATH regardless of the shell. What's
the contents of your $PATH?

(ins)efraim@E5400 ~$ which -a sudo
/run/setuid-programs/sudo
/run/current-system/profile/bin/sudo
(ins)efraim@E5400 ~$ guix environment --ad-hoc zsh
substitute: updating substitutes from 'http://192.168.1.183:3000'... 100.0%
substitute: updating substitutes from 'http://192.168.1.217:3000'... 100.0%
substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0%
substitute: updating substitutes from 'https://bayfront.guix.gnu.org'... 100.0%
The following derivation will be built:
   /gnu/store/yfqfk66vl1s6av45a92ml5l60d2kaxyk-profile.drv
2.1 MB will be downloaded:
   /gnu/store/icyx0ynnaaradzzxfqyjrwy0x545zdn5-zsh-5.8
The following profile hooks will be built:
   /gnu/store/8kim2ay78nrlgpdks734hridk21waxhc-fonts-dir.drv
   /gnu/store/fxdkr919viih72p9s2zkiadgj7r182d1-info-dir.drv
   /gnu/store/ml3s254v7zf4dmwmfpc59clr0xgllsbn-ca-certificate-bundle.drv
   /gnu/store/rvd1xybadpnzwlm1qz7iqcsky1dj2myw-manual-database.drv
downloading from https://ci.guix.gnu.org/nar/lzip/icyx0ynnaaradzzxfqyjrwy0x545zdn5-zsh-5.8...
 zsh-5.8  2.0MiB                                            1.6MiB/s 00:01 [##################] 100.0%

building CA certificate bundle...
building fonts directory...
building directory of Info manuals...
building database for manual pages...
building profile with 1 package...
(ins)efraim@E5400 ~ [env]$ zsh
E5400% which -a sudo
/run/setuid-programs/sudo
/run/current-system/profile/bin/sudo


-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#40550: zsh: sudo is not setuid

[Alexandru-Sergiu Marton]

On Sun Apr 12, 2020 at 1:38 AM PST, Efraim Flashner wrote:
> Do you have sudo installed in a profile? /run/setuid-programs/sudo
> should be the first 'sudo' in your PATH regardless of the shell. What's
> the contents of your $PATH?

This is my $PATH in zsh:
/home/brown/bin:/home/brown/.local/bin:/home/brown/.guix-profile/bin:/home/brown/.guix-profile/sbin:/run/current-system/profile/bin

> (ins)efraim@E5400 ~$ which -a sudo
> /run/setuid-programs/sudo
> /run/current-system/profile/bin/sudo

$ which -a sudo
/run/current-system/profile/bin/sudo

BUT!

$ ls /run/setuid-programs/
dbus-daemon-launch-helper  newuidmap  pkexec                 sudoedit
fusermount                 passwd     polkit-agent-helper-1  umount
mount                      ping       su
newgidmap                  ping6      sudo

So it looks like it's a problem with my PATH. While in bash I don't
append /run/setuid-programs to it manually, yet bash recognizes the
setuid programs. I'll probably add /run/setuid-programs by hand but I'm
wondering why doesn't it work by default.

Thanks,
Sergiu

bug#40550: zsh: sudo is not setuid

[Alexandru-Sergiu Marton]

Just a few more details. If I boot into a system config with bash as the
default shell, this is my $PATH:

/home/brown/.guix-profile/bin:/home/brown/.guix-profile/sbin:/home/brown/bin:/home/brown/.local/bin:/home/brown/.guix-profile/bin:/home/brown/.guix-profile/sbin:/run/setuid-programs:/home/brown/.config/guix/current/bin:/home/brown/.guix-profile/bin:/home/brown/.guix-profile/sbin:/run/current-system/profile/bin:/run/current-system/profile/sbin

If I get zsh through an environment, my PATH still has
/run/setuid-programs in it.

[brown@121408 ~]$ guix environment --ad-hoc zsh
[brown@121408 ~][env]$ zsh
[brown@121408 ~]$ echo $PATH
/home/brown/.guix-profile/bin:/home/brown/.guix-profile/sbin:/gnu/store/anb9bk6qbwhblfr6fqcv6iiq8scyng1i-profile/bin:/home/brown/.guix-profile/bin:/home/brown/.guix-profile/sbin:/home/brown/bin:/home/brown/.local/bin:/home/brown/.guix-profile/bin:/home/brown/.guix-profile/sbin:/run/setuid-programs:/home/brown/.config/guix/current/bin:/home/brown/.guix-profile/bin:/home/brown/.guix-profile/sbin:/run/current-system/profile/bin:/run/current-system/profile/sbin
[brown@121408 ~]$ which -a sudo
/run/setuid-programs/sudo
/run/current-system/profile/bin/sudo

So my problem happens only when setting zsh as an account's default
shell.

bug#40550: zsh: sudo is not setuid

[Leo Famulari]

On Mon, Apr 13, 2020 at 07:46:58AM +0300, Alexandru-Sergiu Marton wrote:
> On Sun Apr 12, 2020 at 1:38 AM PST, Efraim Flashner wrote:
> > Do you have sudo installed in a profile? /run/setuid-programs/sudo
> > should be the first 'sudo' in your PATH regardless of the shell. What's
> > the contents of your $PATH?
> 
> This is my $PATH in zsh:
> /home/brown/bin:/home/brown/.local/bin:/home/brown/.guix-profile/bin:/home/brown/.guix-profile/sbin:/run/current-system/profile/bin

Setting up Zsh should definitely work when creating a new user's home
directory, but maybe it doesn't do the right thing when changing a
user's shell after the home directory has already been created. We
should look into that.

Please copy the contents of '/etc/skel/.zprofile' to your zprofile file
and check for the /run/setuid-programs in your $PATH after logging in
again with `zsh --login`.

bug#40550: zsh: sudo is not setuid

[Leo Famulari]

On Mon, Apr 13, 2020 at 01:55:55PM -0400, Leo Famulari wrote:
> Setting up Zsh should definitely work when creating a new user's home
> directory, but maybe it doesn't do the right thing when changing a
> user's shell after the home directory has already been created. We
> should look into that.

I tested it, and if the file ~/.zprofile already exists when Guix tries
to set up its own ~/.zprofile, then nothing is done. Maybe you already
had a ~/.zprofile?

bug#40550: zsh: sudo is not setuid

[Alexandru-Sergiu Marton]

On Mon Apr 13, 2020 at 6:14 PM PST, Leo Famulari wrote:
> I tested it, and if the file ~/.zprofile already exists when Guix tries
> to set up its own ~/.zprofile, then nothing is done. Maybe you already
> had a ~/.zprofile?

Yes. That should be the problem then. It is confusing though, because I
didn't think for a second that might affect it. How is this set up on
bash? It doesn't look like there is any place where /run/setuid-programs
is appended to PATH in any of my bash files.

bug#40550: zsh: sudo is not setuid

[Alexandru-Sergiu Marton]

On Mon Apr 13, 2020 at 6:14 PM PST, Leo Famulari wrote:
> I tested it, and if the file ~/.zprofile already exists when Guix tries
> to set up its own ~/.zprofile, then nothing is done. Maybe you already
> had a ~/.zprofile?

What does "when Guix tries to set up its own ~/.zprofile" exactly mean?
When should that happen? I tried reconfiguring my system to use zsh and
I deleted my ~/.zprofile prior to that, but after the reconfiguration
there was no new ~/.zprofile created in my home dir.

Currently I append /run/setuid-programs manually to my PATH to get
around this issue.

bug#40550: zsh: sudo is not setuid

[Efraim Flashner]

[-- Attachment #1: Type: text/plain, Size: 1063 bytes --]

On Fri, Apr 17, 2020 at 10:58:52AM +0300, Alexandru-Sergiu Marton wrote:
> On Mon Apr 13, 2020 at 6:14 PM PST, Leo Famulari wrote:
> > I tested it, and if the file ~/.zprofile already exists when Guix tries
> > to set up its own ~/.zprofile, then nothing is done. Maybe you already
> > had a ~/.zprofile?
> 
> What does "when Guix tries to set up its own ~/.zprofile" exactly mean?
> When should that happen? I tried reconfiguring my system to use zsh and
> I deleted my ~/.zprofile prior to that, but after the reconfiguration
> there was no new ~/.zprofile created in my home dir.

I believe it would only insert a new .zprofile when a new user is
created. zprofile is in (gnu system shadow) and currently it only
sources /etc/profile.

> 
> Currently I append /run/setuid-programs manually to my PATH to get
> around this issue.

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]