Re: User shell: state or config?

[mikadoZero <mikadozero@yandex.com>]

Ludovic Courtès writes:

> Hello Guix!
>
> We recently discussed handling of the ‘shell’ field of ‘user-account’:
>
>   https://lists.gnu.org/archive/html/help-guix/2019-04/msg00171.html
>
> As I wrote there, starting with the switch to (gnu build accounts) in
> 0ae735bcc8ff7fdc89d67b492bdee9091ee19e86, user shells are considered
> “state”.  Before they were “config”: ‘guix system reconfigure’ would
> always reset the user shells.
>
> Considering user shells as state seemed like a good idea because, on a
> multi-user system, you’d rather let user invoke ‘chsh’ than have root
> reconfigure the system just to change the user’s shell.  The patches
> below document that.
>
> However, thinking more about it, I’m not sure if considering shells as
> state is such a good idea, for several reasons:
>
>   1. It’s surprising that ‘guix system reconfigure’ doesn’t actually
>      change the shell, as Tanguy reported.

As a new user of Guix System I was recently surprised by this as well.
I was expecting the shell to be managed by configuration.

https://lists.gnu.org/archive/html/help-guix/2019-03/msg00089.html

>   2. ‘chsh’ restricts users to the shells listed in /etc/shells anyway,
>      which is the combination of all the ‘shell’ fields, currently.
>
>      Given this restriction, you might just as well ask the admin to
>      change the shell for you.
>
>   3. It’s easy to end up with a shell that’s eventually GC’d.
>
>      Scenario #1: your shell is initially set to
>      /gnu/store/…-bash/bin/bash, which at the time is GC-protected
>      (listed in /etc/shells, etc.).  However, later, this specific Bash
>      variant is GC’d, and boom, you’re left with nothing.
>
>      Scenario #2: you set your shell to
>      /run/current-system/profile/bin/zsh, which is GC-protected, but
>      eventually the admin removes zsh for the global profile.
>
> All in all, I’m in favor of switching back to the previous behavior:
> considering user shells as system config.  That’s a one-line change in
> (gnu build accounts).
>
> Thoughts?
>
> Ludo’.
>
> From d1586f0c77cf63d0259cca9fc50c210c584529b3 Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
> Date: Thu, 25 Apr 2019 12:10:06 +0200
> Subject: [PATCH 1/2] system: Add 'chsh' to %SETUID-PROGRAMS.
>
> * gnu/system/pam.scm (base-pam-services): Add "chsh".
> * gnu/system.scm (%setuid-programs): Add chsh.
> ---
>  gnu/system.scm     | 1 +
>  gnu/system/pam.scm | 4 ++--
>  2 files changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/system.scm b/gnu/system.scm
> index b00d384fee..a85ec109ac 100644
> --- a/gnu/system.scm
> +++ b/gnu/system.scm
> @@ -794,6 +794,7 @@ use 'plain-file' instead~%")
>    ;; Default set of setuid-root programs.
>    (let ((shadow (@ (gnu packages admin) shadow)))
>      (list (file-append shadow "/bin/passwd")
> +          (file-append shadow "/bin/chsh")
>            (file-append shadow "/bin/su")
>            (file-append shadow "/bin/newuidmap")
>            (file-append shadow "/bin/newgidmap")
> diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
> index 13f76a50ed..27239c5621 100644
> --- a/gnu/system/pam.scm
> +++ b/gnu/system/pam.scm
> @@ -1,5 +1,5 @@
>  ;;; GNU Guix --- Functional package management for GNU
> -;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
> +;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2019 Ludovic Courtès <ludo@gnu.org>
>  ;;;
>  ;;; This file is part of GNU Guix.
>  ;;;
> @@ -265,7 +265,7 @@ authenticate to run COMMAND."
>            ;; These programs are setuid-root.
>            (map (cut unix-pam-service <>
>                      #:allow-empty-passwords? allow-empty-passwords?)
> -               '("passwd" "sudo"))
> +               '("passwd" "chsh" "sudo"))
>            ;; This is setuid-root, as well.  Allow root to run "su" without
>            ;; authenticating.
>            (list (unix-pam-service "su"
> -- 
> 2.21.0
>
> From 6ab1ecd628f13829e31e4bcbe7bf0ff53951eedd Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
> Date: Thu, 25 Apr 2019 12:23:11 +0200
> Subject: [PATCH 2/2] doc: Document 'chsh'.
>
> * doc/guix.texi (User Accounts): Document 'chsh'.
> ---
>  doc/guix.texi | 9 +++++++++
>  1 file changed, 9 insertions(+)
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index 879cb562e9..b5048f7269 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -11000,6 +11000,15 @@ if it does not exist yet.
>  This is a G-expression denoting the file name of a program to be used as
>  the shell (@pxref{G-Expressions}).
>  
> +Users may change their shell at any time by running the @command{chsh}
> +command---run @command{man chsh} for more info.  The list of allowed shells
> +can be found in the @file{/etc/shells} file, which is itself the combination
> +of the @code{shell} fields of all the user accounts.
> +
> +Because the account's shell is user-modifiable system state---just like
> +passwords---it is preserved across reboots and reconfiguration, even if the
> +administrator changes the value of the @code{shell} field.
> +
>  @item @code{system?} (default: @code{#f})
>  This Boolean value indicates whether the account is a ``system''
>  account.  System accounts are sometimes treated specially; for instance,