From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: User shell: state or config? Date: Thu, 25 Apr 2019 12:40:31 +0200 Message-ID: <874l6mpduo.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Return-path: Received: from eggs.gnu.org ([209.51.188.92]:54703) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hJbyt-0003TV-DT for guix-devel@gnu.org; Thu, 25 Apr 2019 06:51:56 -0400 List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Guix-devel --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello Guix! We recently discussed handling of the =E2=80=98shell=E2=80=99 field of =E2= =80=98user-account=E2=80=99: https://lists.gnu.org/archive/html/help-guix/2019-04/msg00171.html As I wrote there, starting with the switch to (gnu build accounts) in 0ae735bcc8ff7fdc89d67b492bdee9091ee19e86, user shells are considered =E2=80=9Cstate=E2=80=9D. Before they were =E2=80=9Cconfig=E2=80=9D: =E2=80= =98guix system reconfigure=E2=80=99 would always reset the user shells. Considering user shells as state seemed like a good idea because, on a multi-user system, you=E2=80=99d rather let user invoke =E2=80=98chsh=E2=80= =99 than have root reconfigure the system just to change the user=E2=80=99s shell. The patches below document that. However, thinking more about it, I=E2=80=99m not sure if considering shells= as state is such a good idea, for several reasons: 1. It=E2=80=99s surprising that =E2=80=98guix system reconfigure=E2=80=99= doesn=E2=80=99t actually change the shell, as Tanguy reported. 2. =E2=80=98chsh=E2=80=99 restricts users to the shells listed in /etc/sh= ells anyway, which is the combination of all the =E2=80=98shell=E2=80=99 fields, cu= rrently. Given this restriction, you might just as well ask the admin to change the shell for you. 3. It=E2=80=99s easy to end up with a shell that=E2=80=99s eventually GC= =E2=80=99d. Scenario #1: your shell is initially set to /gnu/store/=E2=80=A6-bash/bin/bash, which at the time is GC-protected (listed in /etc/shells, etc.). However, later, this specific Bash variant is GC=E2=80=99d, and boom, you=E2=80=99re left with nothing. Scenario #2: you set your shell to /run/current-system/profile/bin/zsh, which is GC-protected, but eventually the admin removes zsh for the global profile. All in all, I=E2=80=99m in favor of switching back to the previous behavior: considering user shells as system config. That=E2=80=99s a one-line change= in (gnu build accounts). Thoughts? Ludo=E2=80=99. --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: inline; filename=0001-system-Add-chsh-to-SETUID-PROGRAMS.patch Content-Transfer-Encoding: quoted-printable Content-Description: allow for chsh >From d1586f0c77cf63d0259cca9fc50c210c584529b3 Mon Sep 17 00:00:00 2001 From: =3D?UTF-8?q?Ludovic=3D20Court=3DC3=3DA8s?=3D Date: Thu, 25 Apr 2019 12:10:06 +0200 Subject: [PATCH 1/2] system: Add 'chsh' to %SETUID-PROGRAMS. * gnu/system/pam.scm (base-pam-services): Add "chsh". * gnu/system.scm (%setuid-programs): Add chsh. --- gnu/system.scm | 1 + gnu/system/pam.scm | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/gnu/system.scm b/gnu/system.scm index b00d384fee..a85ec109ac 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -794,6 +794,7 @@ use 'plain-file' instead~%") ;; Default set of setuid-root programs. (let ((shadow (@ (gnu packages admin) shadow))) (list (file-append shadow "/bin/passwd") + (file-append shadow "/bin/chsh") (file-append shadow "/bin/su") (file-append shadow "/bin/newuidmap") (file-append shadow "/bin/newgidmap") diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm index 13f76a50ed..27239c5621 100644 --- a/gnu/system/pam.scm +++ b/gnu/system/pam.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright =C2=A9 2013, 2014, 2015, 2016, 2017 Ludovic Court=C3=A8s +;;; Copyright =C2=A9 2013, 2014, 2015, 2016, 2017, 2019 Ludovic Court=C3= =A8s ;;; ;;; This file is part of GNU Guix. ;;; @@ -265,7 +265,7 @@ authenticate to run COMMAND." ;; These programs are setuid-root. (map (cut unix-pam-service <> #:allow-empty-passwords? allow-empty-passwords?) - '("passwd" "sudo")) + '("passwd" "chsh" "sudo")) ;; This is setuid-root, as well. Allow root to run "su" without ;; authenticating. (list (unix-pam-service "su" --=20 2.21.0 --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0002-doc-Document-chsh.patch Content-Description: document >From 6ab1ecd628f13829e31e4bcbe7bf0ff53951eedd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Thu, 25 Apr 2019 12:23:11 +0200 Subject: [PATCH 2/2] doc: Document 'chsh'. * doc/guix.texi (User Accounts): Document 'chsh'. --- doc/guix.texi | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/doc/guix.texi b/doc/guix.texi index 879cb562e9..b5048f7269 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -11000,6 +11000,15 @@ if it does not exist yet. This is a G-expression denoting the file name of a program to be used as the shell (@pxref{G-Expressions}). +Users may change their shell at any time by running the @command{chsh} +command---run @command{man chsh} for more info. The list of allowed shells +can be found in the @file{/etc/shells} file, which is itself the combination +of the @code{shell} fields of all the user accounts. + +Because the account's shell is user-modifiable system state---just like +passwords---it is preserved across reboots and reconfiguration, even if the +administrator changes the value of the @code{shell} field. + @item @code{system?} (default: @code{#f}) This Boolean value indicates whether the account is a ``system'' account. System accounts are sometimes treated specially; for instance, -- 2.21.0 --=-=-=--