From mboxrd@z Thu Jan  1 00:00:00 1970
From: mikadoZero <mikadozero@yandex.com>
Subject: Re: User shell: state or config?
Date: Thu, 25 Apr 2019 07:59:05 -0400
Message-ID: <cuc4l6mi9di.fsf@yandex.com>
References: <874l6mpduo.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([209.51.188.92]:40066)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mikadozero@yandex.com>) id 1hJd2m-0000KV-Sg
	for guix-devel@gnu.org; Thu, 25 Apr 2019 08:00:02 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mikadozero@yandex.com>) id 1hJd2l-0002N3-Dm
	for guix-devel@gnu.org; Thu, 25 Apr 2019 08:00:00 -0400
Received: from forward102j.mail.yandex.net ([2a02:6b8:0:801:2::102]:53332)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <mikadozero@yandex.com>)
	id 1hJd2k-0002Kr-Nu
	for guix-devel@gnu.org; Thu, 25 Apr 2019 07:59:59 -0400
Received: from mxback19g.mail.yandex.net (mxback19g.mail.yandex.net
	[IPv6:2a02:6b8:0:1472:2741:0:8b7:319])
	by forward102j.mail.yandex.net (Yandex) with ESMTP id 66736F21B56
	for <guix-devel@gnu.org>; Thu, 25 Apr 2019 14:59:54 +0300 (MSK)
In-reply-to: <874l6mpduo.fsf@gnu.org>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org

Ludovic Court=C3=A8s writes:

> Hello Guix!
>
> We recently discussed handling of the =E2=80=98shell=E2=80=99 field of =
=E2=80=98user-account=E2=80=99:
>
>   https://lists.gnu.org/archive/html/help-guix/2019-04/msg00171.html
>
> As I wrote there, starting with the switch to (gnu build accounts) in
> 0ae735bcc8ff7fdc89d67b492bdee9091ee19e86, user shells are considered
> =E2=80=9Cstate=E2=80=9D.  Before they were =E2=80=9Cconfig=E2=80=9D: =E2=
=80=98guix system reconfigure=E2=80=99 would
> always reset the user shells.
>
> Considering user shells as state seemed like a good idea because, on a
> multi-user system, you=E2=80=99d rather let user invoke =E2=80=98chsh=E2=
=80=99 than have root
> reconfigure the system just to change the user=E2=80=99s shell.  The patc=
hes
> below document that.
>
> However, thinking more about it, I=E2=80=99m not sure if considering shel=
ls as
> state is such a good idea, for several reasons:
>
>   1. It=E2=80=99s surprising that =E2=80=98guix system reconfigure=E2=80=
=99 doesn=E2=80=99t actually
>      change the shell, as Tanguy reported.

As a new user of Guix System I was recently surprised by this as well.
I was expecting the shell to be managed by configuration.

https://lists.gnu.org/archive/html/help-guix/2019-03/msg00089.html

>   2. =E2=80=98chsh=E2=80=99 restricts users to the shells listed in /etc/=
shells anyway,
>      which is the combination of all the =E2=80=98shell=E2=80=99 fields, =
currently.
>
>      Given this restriction, you might just as well ask the admin to
>      change the shell for you.
>
>   3. It=E2=80=99s easy to end up with a shell that=E2=80=99s eventually G=
C=E2=80=99d.
>
>      Scenario #1: your shell is initially set to
>      /gnu/store/=E2=80=A6-bash/bin/bash, which at the time is GC-protected
>      (listed in /etc/shells, etc.).  However, later, this specific Bash
>      variant is GC=E2=80=99d, and boom, you=E2=80=99re left with nothing.
>
>      Scenario #2: you set your shell to
>      /run/current-system/profile/bin/zsh, which is GC-protected, but
>      eventually the admin removes zsh for the global profile.
>
> All in all, I=E2=80=99m in favor of switching back to the previous behavi=
or:
> considering user shells as system config.  That=E2=80=99s a one-line chan=
ge in
> (gnu build accounts).
>
> Thoughts?
>
> Ludo=E2=80=99.
>
> From d1586f0c77cf63d0259cca9fc50c210c584529b3 Mon Sep 17 00:00:00 2001
> From: =3D?UTF-8?q?Ludovic=3D20Court=3DC3=3DA8s?=3D <ludo@gnu.org>
> Date: Thu, 25 Apr 2019 12:10:06 +0200
> Subject: [PATCH 1/2] system: Add 'chsh' to %SETUID-PROGRAMS.
>
> * gnu/system/pam.scm (base-pam-services): Add "chsh".
> * gnu/system.scm (%setuid-programs): Add chsh.
> ---
>  gnu/system.scm     | 1 +
>  gnu/system/pam.scm | 4 ++--
>  2 files changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/system.scm b/gnu/system.scm
> index b00d384fee..a85ec109ac 100644
> --- a/gnu/system.scm
> +++ b/gnu/system.scm
> @@ -794,6 +794,7 @@ use 'plain-file' instead~%")
>    ;; Default set of setuid-root programs.
>    (let ((shadow (@ (gnu packages admin) shadow)))
>      (list (file-append shadow "/bin/passwd")
> +          (file-append shadow "/bin/chsh")
>            (file-append shadow "/bin/su")
>            (file-append shadow "/bin/newuidmap")
>            (file-append shadow "/bin/newgidmap")
> diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
> index 13f76a50ed..27239c5621 100644
> --- a/gnu/system/pam.scm
> +++ b/gnu/system/pam.scm
> @@ -1,5 +1,5 @@
>  ;;; GNU Guix --- Functional package management for GNU
> -;;; Copyright =C2=A9 2013, 2014, 2015, 2016, 2017 Ludovic Court=C3=A8s <=
ludo@gnu.org>
> +;;; Copyright =C2=A9 2013, 2014, 2015, 2016, 2017, 2019 Ludovic Court=C3=
=A8s <ludo@gnu.org>
>  ;;;
>  ;;; This file is part of GNU Guix.
>  ;;;
> @@ -265,7 +265,7 @@ authenticate to run COMMAND."
>            ;; These programs are setuid-root.
>            (map (cut unix-pam-service <>
>                      #:allow-empty-passwords? allow-empty-passwords?)
> -               '("passwd" "sudo"))
> +               '("passwd" "chsh" "sudo"))
>            ;; This is setuid-root, as well.  Allow root to run "su" witho=
ut
>            ;; authenticating.
>            (list (unix-pam-service "su"
> --=20
> 2.21.0
>
> From 6ab1ecd628f13829e31e4bcbe7bf0ff53951eedd Mon Sep 17 00:00:00 2001
> From: =3D?UTF-8?q?Ludovic=3D20Court=3DC3=3DA8s?=3D <ludo@gnu.org>
> Date: Thu, 25 Apr 2019 12:23:11 +0200
> Subject: [PATCH 2/2] doc: Document 'chsh'.
>
> * doc/guix.texi (User Accounts): Document 'chsh'.
> ---
>  doc/guix.texi | 9 +++++++++
>  1 file changed, 9 insertions(+)
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index 879cb562e9..b5048f7269 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -11000,6 +11000,15 @@ if it does not exist yet.
>  This is a G-expression denoting the file name of a program to be used as
>  the shell (@pxref{G-Expressions}).
>=20=20
> +Users may change their shell at any time by running the @command{chsh}
> +command---run @command{man chsh} for more info.  The list of allowed she=
lls
> +can be found in the @file{/etc/shells} file, which is itself the combina=
tion
> +of the @code{shell} fields of all the user accounts.
> +
> +Because the account's shell is user-modifiable system state---just like
> +passwords---it is preserved across reboots and reconfiguration, even if =
the
> +administrator changes the value of the @code{shell} field.
> +
>  @item @code{system?} (default: @code{#f})
>  This Boolean value indicates whether the account is a ``system''
>  account.  System accounts are sometimes treated specially; for instance,