bug#23971: Nobody has a shell

bug#23971: Nobody has a shell

[Vincent Legoll]

vince@guixsd ~/guix-packages$ grep nobody /etc/passwd
nobody:x:65534:997::/var/empty:/gnu/store/7cdd8s466qyjh64m0byq0rz9gk1jid40-bash-4.3.42/bin/bash

On my debian, this user is left out the door:

$ grep nobody /etc/passwd
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

Even its HOME directory is non existent, purposedly...

Is this not a security risk (greater attack surface) or something like that ?

-- 
Vincent Legoll

bug#23971: Nobody has a shell

[Ludovic Courtès]

Vincent Legoll <vincent.legoll@gmail.com> skribis:

> vince@guixsd ~/guix-packages$ grep nobody /etc/passwd
> nobody:x:65534:997::/var/empty:/gnu/store/7cdd8s466qyjh64m0byq0rz9gk1jid40-bash-4.3.42/bin/bash
>
> On my debian, this user is left out the door:
>
> $ grep nobody /etc/passwd
> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
>
> Even its HOME directory is non existent, purposedly...

Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d.

The ‘shell’ field was omitted from the definition of “nobody”, which is
why it ended up using Bash, which is the default shell.

Thanks!

Ludo’.

bug#23971: Nobody has a shell

[Vincent Legoll]

> Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d.
>
> The ‘shell’ field was omitted from the definition of “nobody”, which is
> why it ended up using Bash, which is the default shell.

Thanks the fix looks good, but I tried with guix system reconfigure
after guix pull
That does not change /etc/passwd

I tried guix refresh, but got that bt:

#####################################################################
Backtrace:
In unknown file:
   ?: 19 [apply-smob/1 #<catch-closure f2b7a0>]
In ice-9/boot-9.scm:
  63: 18 [call-with-prompt prompt0 ...]
In ice-9/eval.scm:
 432: 17 [eval # #]
In ice-9/boot-9.scm:
2401: 16 [save-module-excursion #<procedure f48940 at
ice-9/boot-9.scm:4045:3 ()>]
4050: 15 [#<procedure f48940 at ice-9/boot-9.scm:4045:3 ()>]
1724: 14 [%start-stack load-stack #<procedure f5bc00 at
ice-9/boot-9.scm:4041:10 ()>]
1729: 13 [#<procedure f5fea0 ()>]
In unknown file:
   ?: 12 [primitive-load
"/gnu/store/1g2ygiq4z0b5snnwmddfks4flnippna6-guix-0.10.0-0.e901/bin/.guix-real"]
In guix/ui.scm:
1209: 11 [run-guix-command refresh]
In ice-9/boot-9.scm:
 157: 10 [catch srfi-34 #<procedure 435c880 at guix/ui.scm:425:2 ()> ...]
 157: 9 [catch system-error ...]
In guix/scripts/refresh.scm:
 382: 8 [#<procedure 41dbc80 at guix/scripts/refresh.scm:381:4 ()>]
 401: 7 [#<procedure 41dbc30 at guix/scripts/refresh.scm:382:6 ()>]
In srfi/srfi-1.scm:
 616: 6 [for-each #<procedure 4361740 at
guix/scripts/refresh.scm:401:22 (package)> ...]
In guix/scripts/refresh.scm:
 402: 5 [#<procedure 4361740 at guix/scripts/refresh.scm:401:22 (package)> #]
In guix/upstream.scm:
 135: 4 [package-update-path # #]
In ice-9/boot-9.scm:
 157: 3 [catch srfi-34 #<procedure 3531c00 at
guix/import/pypi.scm:313:2 ()> ...]
In guix/import/pypi.scm:
 317: 2 [#<procedure 3531c00 at guix/import/pypi.scm:313:2 ()>]
  68: 1 [latest-source-release #f]
In unknown file:
   ?: 0 [find #<procedure 1cf5ce0 at guix/import/pypi.scm:68:14 (release)> #f]

ERROR: In procedure find:
ERROR: In procedure find: Wrong type argument in position 2 (expecting list): #f
#####################################################################

What did I do wrong ?

-- 
Vincent Legoll

bug#23971: Nobody has a shell

[Efraim Flashner]

[-- Attachment #1: Type: text/plain, Size: 2859 bytes --]

On Thu, Jul 14, 2016 at 12:25:57PM +0200, Vincent Legoll wrote:
> > Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d.
> >
> > The ‘shell’ field was omitted from the definition of “nobody”, which is
> > why it ended up using Bash, which is the default shell.
> 
> Thanks the fix looks good, but I tried with guix system reconfigure
> after guix pull
> That does not change /etc/passwd
> 
> I tried guix refresh, but got that bt:
> 
> #####################################################################
> Backtrace:
> In unknown file:
>    ?: 19 [apply-smob/1 #<catch-closure f2b7a0>]
> In ice-9/boot-9.scm:
>   63: 18 [call-with-prompt prompt0 ...]
> In ice-9/eval.scm:
>  432: 17 [eval # #]
> In ice-9/boot-9.scm:
> 2401: 16 [save-module-excursion #<procedure f48940 at
> ice-9/boot-9.scm:4045:3 ()>]
> 4050: 15 [#<procedure f48940 at ice-9/boot-9.scm:4045:3 ()>]
> 1724: 14 [%start-stack load-stack #<procedure f5bc00 at
> ice-9/boot-9.scm:4041:10 ()>]
> 1729: 13 [#<procedure f5fea0 ()>]
> In unknown file:
>    ?: 12 [primitive-load
> "/gnu/store/1g2ygiq4z0b5snnwmddfks4flnippna6-guix-0.10.0-0.e901/bin/.guix-real"]
> In guix/ui.scm:
> 1209: 11 [run-guix-command refresh]
> In ice-9/boot-9.scm:
>  157: 10 [catch srfi-34 #<procedure 435c880 at guix/ui.scm:425:2 ()> ...]
>  157: 9 [catch system-error ...]
> In guix/scripts/refresh.scm:
>  382: 8 [#<procedure 41dbc80 at guix/scripts/refresh.scm:381:4 ()>]
>  401: 7 [#<procedure 41dbc30 at guix/scripts/refresh.scm:382:6 ()>]
> In srfi/srfi-1.scm:
>  616: 6 [for-each #<procedure 4361740 at
> guix/scripts/refresh.scm:401:22 (package)> ...]
> In guix/scripts/refresh.scm:
>  402: 5 [#<procedure 4361740 at guix/scripts/refresh.scm:401:22 (package)> #]
> In guix/upstream.scm:
>  135: 4 [package-update-path # #]
> In ice-9/boot-9.scm:
>  157: 3 [catch srfi-34 #<procedure 3531c00 at
> guix/import/pypi.scm:313:2 ()> ...]
> In guix/import/pypi.scm:
>  317: 2 [#<procedure 3531c00 at guix/import/pypi.scm:313:2 ()>]
>   68: 1 [latest-source-release #f]
> In unknown file:
>    ?: 0 [find #<procedure 1cf5ce0 at guix/import/pypi.scm:68:14 (release)> #f]
> 
> ERROR: In procedure find:
> ERROR: In procedure find: Wrong type argument in position 2 (expecting list): #f
> #####################################################################
> 
> What did I do wrong ?
> 
> -- 
> Vincent Legoll
> 

`guix refresh' checks upstream for newer releases of software than
what Guix currently knows, so here it was checking for newer software
from pypi, which hasn't been updated since pypi changed their uri
scheme.

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

bug#23971: Nobody has a shell

[Leo Famulari]

On Thu, Jul 14, 2016 at 12:25:57PM +0200, Vincent Legoll wrote:
> > Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d.
> >
> > The ‘shell’ field was omitted from the definition of “nobody”, which is
> > why it ended up using Bash, which is the default shell.
> 
> Thanks the fix looks good, but I tried with guix system reconfigure
> after guix pull
> That does not change /etc/passwd

I've noticed that certain changes to my own user require reboot.

Others, which involve bringing previously non-Guix controlled user
parameters under control of Guix, seemed to require me to remove the
user from my system configuration, reconfigure, and then re-add the
user. I'm not sure what nobody's GuixSD user configuration would look
like.

Neither is a good solution, but could you try them out?

bug#23971: Nobody has a shell

[Vincent Legoll]

Thanks efraim, I should have RTFM more on guix refresh, I guess...

Leo, yes I'll try reboot to see if it makes any difference, and then
remove the user if that don't do it. And report here.

On Thu, Jul 14, 2016 at 10:10 PM, Leo Famulari <leo@famulari.name> wrote:
> On Thu, Jul 14, 2016 at 12:25:57PM +0200, Vincent Legoll wrote:
>> > Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d.
>> >
>> > The ‘shell’ field was omitted from the definition of “nobody”, which is
>> > why it ended up using Bash, which is the default shell.
>>
>> Thanks the fix looks good, but I tried with guix system reconfigure
>> after guix pull
>> That does not change /etc/passwd
>
> I've noticed that certain changes to my own user require reboot.
>
> Others, which involve bringing previously non-Guix controlled user
> parameters under control of Guix, seemed to require me to remove the
> user from my system configuration, reconfigure, and then re-add the
> user. I'm not sure what nobody's GuixSD user configuration would look
> like.
>
> Neither is a good solution, but could you try them out?



-- 
Vincent Legoll

bug#23971: Nobody has a shell

[Ludovic Courtès]

Vincent Legoll <vincent.legoll@gmail.com> skribis:

>> Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d.
>>
>> The ‘shell’ field was omitted from the definition of “nobody”, which is
>> why it ended up using Bash, which is the default shell.
>
> Thanks the fix looks good, but I tried with guix system reconfigure
> after guix pull
> That does not change /etc/passwd

It does change /etc/passwd (specifically, this is done in ‘modify-user’
in activation.scm, which is itself run from the activation script of the
new system that ‘guix system reconfigure’ runs; note that this changes
the shell but leaves the home directory unchanged, see the comment in
there.)

Could it be that you did not run ‘guix pull’ as root?  Remember that
‘guix pull’ is per-user:

  https://www.gnu.org/software/guix/manual/html_node/Invoking-guix-pull.html

HTH,
Ludo’.

bug#23971: Nobody has a shell

[Vincent Legoll]

On Fri, Jul 15, 2016 at 3:03 PM, Ludovic Courtès <ludo@gnu.org> wrote:
> Vincent Legoll <vincent.legoll@gmail.com> skribis:
>
>>> Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d.
>>>
>>> The ‘shell’ field was omitted from the definition of “nobody”, which is
>>> why it ended up using Bash, which is the default shell.
>>
>> Thanks the fix looks good, but I tried with guix system reconfigure
>> after guix pull
>> That does not change /etc/passwd
>
> It does change /etc/passwd (specifically, this is done in ‘modify-user’
> in activation.scm, which is itself run from the activation script of the
> new system that ‘guix system reconfigure’ runs; note that this changes
> the shell but leaves the home directory unchanged, see the comment in
> there.)
>
> Could it be that you did not run ‘guix pull’ as root?  Remember that
> ‘guix pull’ is per-user:

Yep, that was probably the case.

I tested in a new VM (from scratch) 0.10.0 usb install
- initially: /var/empy + bash
- guix pull + reconfigure : usermod: change shell to nologin, but home
dir stayed the same
- delete user nobody + guix system reconfigure: user nobody is back,
with /nonexistent home dir

So this looks like it is fixed, and next usb install should be good
from 1st day...

-- 
Vincent Legoll