guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

User shell: state or config?

From: Ludovic Courtès
Subject: User shell: state or config?
Date: Thu, 25 Apr 2019 12:40:31 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux) 
Hello Guix!

We recently discussed handling of the ‘shell’ field of ‘user-account’:

  https://lists.gnu.org/archive/html/help-guix/2019-04/msg00171.html

As I wrote there, starting with the switch to (gnu build accounts) in
0ae735bcc8ff7fdc89d67b492bdee9091ee19e86, user shells are considered
“state”.  Before they were “config”: ‘guix system reconfigure’ would
always reset the user shells.

Considering user shells as state seemed like a good idea because, on a
multi-user system, you’d rather let user invoke ‘chsh’ than have root
reconfigure the system just to change the user’s shell.  The patches
below document that.

However, thinking more about it, I’m not sure if considering shells as
state is such a good idea, for several reasons:

  1. It’s surprising that ‘guix system reconfigure’ doesn’t actually
     change the shell, as Tanguy reported.

  2. ‘chsh’ restricts users to the shells listed in /etc/shells anyway,
     which is the combination of all the ‘shell’ fields, currently.

     Given this restriction, you might just as well ask the admin to
     change the shell for you.

  3. It’s easy to end up with a shell that’s eventually GC’d.

     Scenario #1: your shell is initially set to
     /gnu/store/…-bash/bin/bash, which at the time is GC-protected
     (listed in /etc/shells, etc.).  However, later, this specific Bash
     variant is GC’d, and boom, you’re left with nothing.

     Scenario #2: you set your shell to
     /run/current-system/profile/bin/zsh, which is GC-protected, but
     eventually the admin removes zsh for the global profile.

All in all, I’m in favor of switching back to the previous behavior:
considering user shells as system config.  That’s a one-line change in
(gnu build accounts).

Thoughts?

Ludo’.


>From d1586f0c77cf63d0259cca9fc50c210c584529b3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <address@hidden>
Date: Thu, 25 Apr 2019 12:10:06 +0200
Subject: [PATCH 1/2] system: Add 'chsh' to %SETUID-PROGRAMS.

* gnu/system/pam.scm (base-pam-services): Add "chsh".
* gnu/system.scm (%setuid-programs): Add chsh.
---
 gnu/system.scm     | 1 +
 gnu/system/pam.scm | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/system.scm b/gnu/system.scm
index b00d384fee..a85ec109ac 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -794,6 +794,7 @@ use 'plain-file' instead~%")
   ;; Default set of setuid-root programs.
   (let ((shadow (@ (gnu packages admin) shadow)))
     (list (file-append shadow "/bin/passwd")
+          (file-append shadow "/bin/chsh")
           (file-append shadow "/bin/su")
           (file-append shadow "/bin/newuidmap")
           (file-append shadow "/bin/newgidmap")
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index 13f76a50ed..27239c5621 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <address@hidden>
+;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2019 Ludovic Courtès 
<address@hidden>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -265,7 +265,7 @@ authenticate to run COMMAND."
           ;; These programs are setuid-root.
           (map (cut unix-pam-service <>
                     #:allow-empty-passwords? allow-empty-passwords?)
-               '("passwd" "sudo"))
+               '("passwd" "chsh" "sudo"))
           ;; This is setuid-root, as well.  Allow root to run "su" without
           ;; authenticating.
           (list (unix-pam-service "su"
-- 
2.21.0


>From 6ab1ecd628f13829e31e4bcbe7bf0ff53951eedd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <address@hidden>
Date: Thu, 25 Apr 2019 12:23:11 +0200
Subject: [PATCH 2/2] doc: Document 'chsh'.

* doc/guix.texi (User Accounts): Document 'chsh'.
---
 doc/guix.texi | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/doc/guix.texi b/doc/guix.texi
index 879cb562e9..b5048f7269 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -11000,6 +11000,15 @@ if it does not exist yet.
 This is a G-expression denoting the file name of a program to be used as
 the shell (@pxref{G-Expressions}).
 
+Users may change their shell at any time by running the @command{chsh}
+command---run @command{man chsh} for more info.  The list of allowed shells
+can be found in the @file{/etc/shells} file, which is itself the combination
+of the @code{shell} fields of all the user accounts.
+
+Because the account's shell is user-modifiable system state---just like
+passwords---it is preserved across reboots and reconfiguration, even if the
+administrator changes the value of the @code{shell} field.
+
 @item @code{system?} (default: @code{#f})
 This Boolean value indicates whether the account is a ``system''
 account.  System accounts are sometimes treated specially; for instance,
-- 
2.21.0
reply via email to
[Prev in Thread] Current Thread [Next in Thread]