[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: User shell: state or config?
From: |
mikadoZero |
Subject: |
Re: User shell: state or config? |
Date: |
Thu, 25 Apr 2019 07:59:05 -0400 |
User-agent: |
mu4e 1.2.0; emacs 26.2 |
Ludovic Courtès writes:
> Hello Guix!
>
> We recently discussed handling of the ‘shell’ field of ‘user-account’:
>
> https://lists.gnu.org/archive/html/help-guix/2019-04/msg00171.html
>
> As I wrote there, starting with the switch to (gnu build accounts) in
> 0ae735bcc8ff7fdc89d67b492bdee9091ee19e86, user shells are considered
> “state”. Before they were “config”: ‘guix system reconfigure’ would
> always reset the user shells.
>
> Considering user shells as state seemed like a good idea because, on a
> multi-user system, you’d rather let user invoke ‘chsh’ than have root
> reconfigure the system just to change the user’s shell. The patches
> below document that.
>
> However, thinking more about it, I’m not sure if considering shells as
> state is such a good idea, for several reasons:
>
> 1. It’s surprising that ‘guix system reconfigure’ doesn’t actually
> change the shell, as Tanguy reported.
As a new user of Guix System I was recently surprised by this as well.
I was expecting the shell to be managed by configuration.
https://lists.gnu.org/archive/html/help-guix/2019-03/msg00089.html
> 2. ‘chsh’ restricts users to the shells listed in /etc/shells anyway,
> which is the combination of all the ‘shell’ fields, currently.
>
> Given this restriction, you might just as well ask the admin to
> change the shell for you.
>
> 3. It’s easy to end up with a shell that’s eventually GC’d.
>
> Scenario #1: your shell is initially set to
> /gnu/store/…-bash/bin/bash, which at the time is GC-protected
> (listed in /etc/shells, etc.). However, later, this specific Bash
> variant is GC’d, and boom, you’re left with nothing.
>
> Scenario #2: you set your shell to
> /run/current-system/profile/bin/zsh, which is GC-protected, but
> eventually the admin removes zsh for the global profile.
>
> All in all, I’m in favor of switching back to the previous behavior:
> considering user shells as system config. That’s a one-line change in
> (gnu build accounts).
>
> Thoughts?
>
> Ludo’.
>
> From d1586f0c77cf63d0259cca9fc50c210c584529b3 Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <address@hidden>
> Date: Thu, 25 Apr 2019 12:10:06 +0200
> Subject: [PATCH 1/2] system: Add 'chsh' to %SETUID-PROGRAMS.
>
> * gnu/system/pam.scm (base-pam-services): Add "chsh".
> * gnu/system.scm (%setuid-programs): Add chsh.
> ---
> gnu/system.scm | 1 +
> gnu/system/pam.scm | 4 ++--
> 2 files changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/system.scm b/gnu/system.scm
> index b00d384fee..a85ec109ac 100644
> --- a/gnu/system.scm
> +++ b/gnu/system.scm
> @@ -794,6 +794,7 @@ use 'plain-file' instead~%")
> ;; Default set of setuid-root programs.
> (let ((shadow (@ (gnu packages admin) shadow)))
> (list (file-append shadow "/bin/passwd")
> + (file-append shadow "/bin/chsh")
> (file-append shadow "/bin/su")
> (file-append shadow "/bin/newuidmap")
> (file-append shadow "/bin/newgidmap")
> diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
> index 13f76a50ed..27239c5621 100644
> --- a/gnu/system/pam.scm
> +++ b/gnu/system/pam.scm
> @@ -1,5 +1,5 @@
> ;;; GNU Guix --- Functional package management for GNU
> -;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <address@hidden>
> +;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2019 Ludovic Courtès
> <address@hidden>
> ;;;
> ;;; This file is part of GNU Guix.
> ;;;
> @@ -265,7 +265,7 @@ authenticate to run COMMAND."
> ;; These programs are setuid-root.
> (map (cut unix-pam-service <>
> #:allow-empty-passwords? allow-empty-passwords?)
> - '("passwd" "sudo"))
> + '("passwd" "chsh" "sudo"))
> ;; This is setuid-root, as well. Allow root to run "su" without
> ;; authenticating.
> (list (unix-pam-service "su"
> --
> 2.21.0
>
> From 6ab1ecd628f13829e31e4bcbe7bf0ff53951eedd Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <address@hidden>
> Date: Thu, 25 Apr 2019 12:23:11 +0200
> Subject: [PATCH 2/2] doc: Document 'chsh'.
>
> * doc/guix.texi (User Accounts): Document 'chsh'.
> ---
> doc/guix.texi | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index 879cb562e9..b5048f7269 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -11000,6 +11000,15 @@ if it does not exist yet.
> This is a G-expression denoting the file name of a program to be used as
> the shell (@pxref{G-Expressions}).
>
> +Users may change their shell at any time by running the @command{chsh}
> +command---run @command{man chsh} for more info. The list of allowed shells
> +can be found in the @file{/etc/shells} file, which is itself the combination
> +of the @code{shell} fields of all the user accounts.
> +
> +Because the account's shell is user-modifiable system state---just like
> +passwords---it is preserved across reboots and reconfiguration, even if the
> +administrator changes the value of the @code{shell} field.
> +
> @item @code{system?} (default: @code{#f})
> This Boolean value indicates whether the account is a ``system''
> account. System accounts are sometimes treated specially; for instance,