bug#68387: guix shell --container --share=/etc overrides shadow files

bug#68387: guix shell --container --share=/etc overrides shadow files

[Christina O'Donnell]

Hi Guix,

Running the below command as root overrides the running system's shadow 
files
(/etc/shadow, /etc/passwd, and /etc/group).

WARNING: Don't run the following outside of a VM!

   guix shell --container --share=/etc

This erases the current user from the passwd database, meaning `su` and 
`sudo`
no longer work, and you can't log in.

Discussion

The context is that I was tracking down a libreoffice bug using guix
time-machine and ran the very clever command trying to get the display 
working.

   sudo guix time-machine ... -- environment -C --ad-hoc coreutils sway \
     --preserve='DISPLAY' --preserve='XDG' --share=/etc -- sway

Now of course if you write random commands with sudo, you should expect 
to brick
your system from time to time. And setting `--share=/etc` wasn't 
particularly
smart idea. However, it would have been nice to not have that wipe my 
shadow files.

For example, being warned about sharing /etc with a container.

To reproduce, run the Guix command in a basic VM image, connecting to Guix
daemon on the host.[1]

Please let me know if you have any questions!

Kind regards,
  - Christina O'Donnell

https://mutix.org/

---

[1] See my blog for more details:
https://mutix.org/pages/blog/20240109-how-to-run-guix-in-vm.html