* bug#23971: Nobody has a shell @ 2016-07-13 10:10 Vincent Legoll 2016-07-13 22:01 ` Ludovic Courtès 0 siblings, 1 reply; 8+ messages in thread From: Vincent Legoll @ 2016-07-13 10:10 UTC (permalink / raw) To: 23971 vince@guixsd ~/guix-packages$ grep nobody /etc/passwd nobody:x:65534:997::/var/empty:/gnu/store/7cdd8s466qyjh64m0byq0rz9gk1jid40-bash-4.3.42/bin/bash On my debian, this user is left out the door: $ grep nobody /etc/passwd nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin Even its HOME directory is non existent, purposedly... Is this not a security risk (greater attack surface) or something like that ? -- Vincent Legoll ^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#23971: Nobody has a shell 2016-07-13 10:10 bug#23971: Nobody has a shell Vincent Legoll @ 2016-07-13 22:01 ` Ludovic Courtès 2016-07-14 10:25 ` Vincent Legoll 0 siblings, 1 reply; 8+ messages in thread From: Ludovic Courtès @ 2016-07-13 22:01 UTC (permalink / raw) To: Vincent Legoll; +Cc: 23971-done Vincent Legoll <vincent.legoll@gmail.com> skribis: > vince@guixsd ~/guix-packages$ grep nobody /etc/passwd > nobody:x:65534:997::/var/empty:/gnu/store/7cdd8s466qyjh64m0byq0rz9gk1jid40-bash-4.3.42/bin/bash > > On my debian, this user is left out the door: > > $ grep nobody /etc/passwd > nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin > > Even its HOME directory is non existent, purposedly... Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d. The ‘shell’ field was omitted from the definition of “nobody”, which is why it ended up using Bash, which is the default shell. Thanks! Ludo’. ^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#23971: Nobody has a shell 2016-07-13 22:01 ` Ludovic Courtès @ 2016-07-14 10:25 ` Vincent Legoll 2016-07-14 18:36 ` Efraim Flashner ` (2 more replies) 0 siblings, 3 replies; 8+ messages in thread From: Vincent Legoll @ 2016-07-14 10:25 UTC (permalink / raw) To: Ludovic Courtès; +Cc: 23971-done > Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d. > > The ‘shell’ field was omitted from the definition of “nobody”, which is > why it ended up using Bash, which is the default shell. Thanks the fix looks good, but I tried with guix system reconfigure after guix pull That does not change /etc/passwd I tried guix refresh, but got that bt: ##################################################################### Backtrace: In unknown file: ?: 19 [apply-smob/1 #<catch-closure f2b7a0>] In ice-9/boot-9.scm: 63: 18 [call-with-prompt prompt0 ...] In ice-9/eval.scm: 432: 17 [eval # #] In ice-9/boot-9.scm: 2401: 16 [save-module-excursion #<procedure f48940 at ice-9/boot-9.scm:4045:3 ()>] 4050: 15 [#<procedure f48940 at ice-9/boot-9.scm:4045:3 ()>] 1724: 14 [%start-stack load-stack #<procedure f5bc00 at ice-9/boot-9.scm:4041:10 ()>] 1729: 13 [#<procedure f5fea0 ()>] In unknown file: ?: 12 [primitive-load "/gnu/store/1g2ygiq4z0b5snnwmddfks4flnippna6-guix-0.10.0-0.e901/bin/.guix-real"] In guix/ui.scm: 1209: 11 [run-guix-command refresh] In ice-9/boot-9.scm: 157: 10 [catch srfi-34 #<procedure 435c880 at guix/ui.scm:425:2 ()> ...] 157: 9 [catch system-error ...] In guix/scripts/refresh.scm: 382: 8 [#<procedure 41dbc80 at guix/scripts/refresh.scm:381:4 ()>] 401: 7 [#<procedure 41dbc30 at guix/scripts/refresh.scm:382:6 ()>] In srfi/srfi-1.scm: 616: 6 [for-each #<procedure 4361740 at guix/scripts/refresh.scm:401:22 (package)> ...] In guix/scripts/refresh.scm: 402: 5 [#<procedure 4361740 at guix/scripts/refresh.scm:401:22 (package)> #] In guix/upstream.scm: 135: 4 [package-update-path # #] In ice-9/boot-9.scm: 157: 3 [catch srfi-34 #<procedure 3531c00 at guix/import/pypi.scm:313:2 ()> ...] In guix/import/pypi.scm: 317: 2 [#<procedure 3531c00 at guix/import/pypi.scm:313:2 ()>] 68: 1 [latest-source-release #f] In unknown file: ?: 0 [find #<procedure 1cf5ce0 at guix/import/pypi.scm:68:14 (release)> #f] ERROR: In procedure find: ERROR: In procedure find: Wrong type argument in position 2 (expecting list): #f ##################################################################### What did I do wrong ? -- Vincent Legoll ^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#23971: Nobody has a shell 2016-07-14 10:25 ` Vincent Legoll @ 2016-07-14 18:36 ` Efraim Flashner 2016-07-14 20:10 ` Leo Famulari 2016-07-15 13:03 ` Ludovic Courtès 2 siblings, 0 replies; 8+ messages in thread From: Efraim Flashner @ 2016-07-14 18:36 UTC (permalink / raw) To: Vincent Legoll; +Cc: 23971-done [-- Attachment #1: Type: text/plain, Size: 2859 bytes --] On Thu, Jul 14, 2016 at 12:25:57PM +0200, Vincent Legoll wrote: > > Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d. > > > > The ‘shell’ field was omitted from the definition of “nobody”, which is > > why it ended up using Bash, which is the default shell. > > Thanks the fix looks good, but I tried with guix system reconfigure > after guix pull > That does not change /etc/passwd > > I tried guix refresh, but got that bt: > > ##################################################################### > Backtrace: > In unknown file: > ?: 19 [apply-smob/1 #<catch-closure f2b7a0>] > In ice-9/boot-9.scm: > 63: 18 [call-with-prompt prompt0 ...] > In ice-9/eval.scm: > 432: 17 [eval # #] > In ice-9/boot-9.scm: > 2401: 16 [save-module-excursion #<procedure f48940 at > ice-9/boot-9.scm:4045:3 ()>] > 4050: 15 [#<procedure f48940 at ice-9/boot-9.scm:4045:3 ()>] > 1724: 14 [%start-stack load-stack #<procedure f5bc00 at > ice-9/boot-9.scm:4041:10 ()>] > 1729: 13 [#<procedure f5fea0 ()>] > In unknown file: > ?: 12 [primitive-load > "/gnu/store/1g2ygiq4z0b5snnwmddfks4flnippna6-guix-0.10.0-0.e901/bin/.guix-real"] > In guix/ui.scm: > 1209: 11 [run-guix-command refresh] > In ice-9/boot-9.scm: > 157: 10 [catch srfi-34 #<procedure 435c880 at guix/ui.scm:425:2 ()> ...] > 157: 9 [catch system-error ...] > In guix/scripts/refresh.scm: > 382: 8 [#<procedure 41dbc80 at guix/scripts/refresh.scm:381:4 ()>] > 401: 7 [#<procedure 41dbc30 at guix/scripts/refresh.scm:382:6 ()>] > In srfi/srfi-1.scm: > 616: 6 [for-each #<procedure 4361740 at > guix/scripts/refresh.scm:401:22 (package)> ...] > In guix/scripts/refresh.scm: > 402: 5 [#<procedure 4361740 at guix/scripts/refresh.scm:401:22 (package)> #] > In guix/upstream.scm: > 135: 4 [package-update-path # #] > In ice-9/boot-9.scm: > 157: 3 [catch srfi-34 #<procedure 3531c00 at > guix/import/pypi.scm:313:2 ()> ...] > In guix/import/pypi.scm: > 317: 2 [#<procedure 3531c00 at guix/import/pypi.scm:313:2 ()>] > 68: 1 [latest-source-release #f] > In unknown file: > ?: 0 [find #<procedure 1cf5ce0 at guix/import/pypi.scm:68:14 (release)> #f] > > ERROR: In procedure find: > ERROR: In procedure find: Wrong type argument in position 2 (expecting list): #f > ##################################################################### > > What did I do wrong ? > > -- > Vincent Legoll > `guix refresh' checks upstream for newer releases of software than what Guix currently knows, so here it was checking for newer software from pypi, which hasn't been updated since pypi changed their uri scheme. -- Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#23971: Nobody has a shell 2016-07-14 10:25 ` Vincent Legoll 2016-07-14 18:36 ` Efraim Flashner @ 2016-07-14 20:10 ` Leo Famulari 2016-07-15 7:30 ` Vincent Legoll 2016-07-15 13:03 ` Ludovic Courtès 2 siblings, 1 reply; 8+ messages in thread From: Leo Famulari @ 2016-07-14 20:10 UTC (permalink / raw) To: Vincent Legoll; +Cc: 23971-done On Thu, Jul 14, 2016 at 12:25:57PM +0200, Vincent Legoll wrote: > > Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d. > > > > The ‘shell’ field was omitted from the definition of “nobody”, which is > > why it ended up using Bash, which is the default shell. > > Thanks the fix looks good, but I tried with guix system reconfigure > after guix pull > That does not change /etc/passwd I've noticed that certain changes to my own user require reboot. Others, which involve bringing previously non-Guix controlled user parameters under control of Guix, seemed to require me to remove the user from my system configuration, reconfigure, and then re-add the user. I'm not sure what nobody's GuixSD user configuration would look like. Neither is a good solution, but could you try them out? ^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#23971: Nobody has a shell 2016-07-14 20:10 ` Leo Famulari @ 2016-07-15 7:30 ` Vincent Legoll 0 siblings, 0 replies; 8+ messages in thread From: Vincent Legoll @ 2016-07-15 7:30 UTC (permalink / raw) To: Leo Famulari; +Cc: 23971-done Thanks efraim, I should have RTFM more on guix refresh, I guess... Leo, yes I'll try reboot to see if it makes any difference, and then remove the user if that don't do it. And report here. On Thu, Jul 14, 2016 at 10:10 PM, Leo Famulari <leo@famulari.name> wrote: > On Thu, Jul 14, 2016 at 12:25:57PM +0200, Vincent Legoll wrote: >> > Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d. >> > >> > The ‘shell’ field was omitted from the definition of “nobody”, which is >> > why it ended up using Bash, which is the default shell. >> >> Thanks the fix looks good, but I tried with guix system reconfigure >> after guix pull >> That does not change /etc/passwd > > I've noticed that certain changes to my own user require reboot. > > Others, which involve bringing previously non-Guix controlled user > parameters under control of Guix, seemed to require me to remove the > user from my system configuration, reconfigure, and then re-add the > user. I'm not sure what nobody's GuixSD user configuration would look > like. > > Neither is a good solution, but could you try them out? -- Vincent Legoll ^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#23971: Nobody has a shell 2016-07-14 10:25 ` Vincent Legoll 2016-07-14 18:36 ` Efraim Flashner 2016-07-14 20:10 ` Leo Famulari @ 2016-07-15 13:03 ` Ludovic Courtès 2016-07-23 6:48 ` Vincent Legoll 2 siblings, 1 reply; 8+ messages in thread From: Ludovic Courtès @ 2016-07-15 13:03 UTC (permalink / raw) To: Vincent Legoll; +Cc: 23971-done Vincent Legoll <vincent.legoll@gmail.com> skribis: >> Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d. >> >> The ‘shell’ field was omitted from the definition of “nobody”, which is >> why it ended up using Bash, which is the default shell. > > Thanks the fix looks good, but I tried with guix system reconfigure > after guix pull > That does not change /etc/passwd It does change /etc/passwd (specifically, this is done in ‘modify-user’ in activation.scm, which is itself run from the activation script of the new system that ‘guix system reconfigure’ runs; note that this changes the shell but leaves the home directory unchanged, see the comment in there.) Could it be that you did not run ‘guix pull’ as root? Remember that ‘guix pull’ is per-user: https://www.gnu.org/software/guix/manual/html_node/Invoking-guix-pull.html HTH, Ludo’. ^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#23971: Nobody has a shell 2016-07-15 13:03 ` Ludovic Courtès @ 2016-07-23 6:48 ` Vincent Legoll 0 siblings, 0 replies; 8+ messages in thread From: Vincent Legoll @ 2016-07-23 6:48 UTC (permalink / raw) To: Ludovic Courtès; +Cc: 23971-done On Fri, Jul 15, 2016 at 3:03 PM, Ludovic Courtès <ludo@gnu.org> wrote: > Vincent Legoll <vincent.legoll@gmail.com> skribis: > >>> Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d. >>> >>> The ‘shell’ field was omitted from the definition of “nobody”, which is >>> why it ended up using Bash, which is the default shell. >> >> Thanks the fix looks good, but I tried with guix system reconfigure >> after guix pull >> That does not change /etc/passwd > > It does change /etc/passwd (specifically, this is done in ‘modify-user’ > in activation.scm, which is itself run from the activation script of the > new system that ‘guix system reconfigure’ runs; note that this changes > the shell but leaves the home directory unchanged, see the comment in > there.) > > Could it be that you did not run ‘guix pull’ as root? Remember that > ‘guix pull’ is per-user: Yep, that was probably the case. I tested in a new VM (from scratch) 0.10.0 usb install - initially: /var/empy + bash - guix pull + reconfigure : usermod: change shell to nologin, but home dir stayed the same - delete user nobody + guix system reconfigure: user nobody is back, with /nonexistent home dir So this looks like it is fixed, and next usb install should be good from 1st day... -- Vincent Legoll ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2016-07-23 6:49 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-07-13 10:10 bug#23971: Nobody has a shell Vincent Legoll 2016-07-13 22:01 ` Ludovic Courtès 2016-07-14 10:25 ` Vincent Legoll 2016-07-14 18:36 ` Efraim Flashner 2016-07-14 20:10 ` Leo Famulari 2016-07-15 7:30 ` Vincent Legoll 2016-07-15 13:03 ` Ludovic Courtès 2016-07-23 6:48 ` Vincent Legoll
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.