GNU bug report logs -
#23971
Nobody has a shell
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 23971 in the body.
You can then email your comments to 23971 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org
:
bug#23971
; Package
guix
.
(Wed, 13 Jul 2016 13:07:03 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Vincent Legoll <vincent.legoll <at> gmail.com>
:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org
.
(Wed, 13 Jul 2016 13:07:03 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
vince <at> guixsd ~/guix-packages$ grep nobody /etc/passwd
nobody:x:65534:997::/var/empty:/gnu/store/7cdd8s466qyjh64m0byq0rz9gk1jid40-bash-4.3.42/bin/bash
On my debian, this user is left out the door:
$ grep nobody /etc/passwd
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
Even its HOME directory is non existent, purposedly...
Is this not a security risk (greater attack surface) or something like that ?
--
Vincent Legoll
Reply sent
to
ludo <at> gnu.org (Ludovic Courtès)
:
You have taken responsibility.
(Wed, 13 Jul 2016 22:02:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Vincent Legoll <vincent.legoll <at> gmail.com>
:
bug acknowledged by developer.
(Wed, 13 Jul 2016 22:02:02 GMT)
Full text and
rfc822 format available.
Message #10 received at 23971-done <at> debbugs.gnu.org (full text, mbox):
Vincent Legoll <vincent.legoll <at> gmail.com> skribis:
> vince <at> guixsd ~/guix-packages$ grep nobody /etc/passwd
> nobody:x:65534:997::/var/empty:/gnu/store/7cdd8s466qyjh64m0byq0rz9gk1jid40-bash-4.3.42/bin/bash
>
> On my debian, this user is left out the door:
>
> $ grep nobody /etc/passwd
> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
>
> Even its HOME directory is non existent, purposedly...
Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d.
The ‘shell’ field was omitted from the definition of “nobody”, which is
why it ended up using Bash, which is the default shell.
Thanks!
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#23971
; Package
guix
.
(Thu, 14 Jul 2016 10:27:02 GMT)
Full text and
rfc822 format available.
Message #13 received at 23971-done <at> debbugs.gnu.org (full text, mbox):
> Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d.
>
> The ‘shell’ field was omitted from the definition of “nobody”, which is
> why it ended up using Bash, which is the default shell.
Thanks the fix looks good, but I tried with guix system reconfigure
after guix pull
That does not change /etc/passwd
I tried guix refresh, but got that bt:
#####################################################################
Backtrace:
In unknown file:
?: 19 [apply-smob/1 #<catch-closure f2b7a0>]
In ice-9/boot-9.scm:
63: 18 [call-with-prompt prompt0 ...]
In ice-9/eval.scm:
432: 17 [eval # #]
In ice-9/boot-9.scm:
2401: 16 [save-module-excursion #<procedure f48940 at
ice-9/boot-9.scm:4045:3 ()>]
4050: 15 [#<procedure f48940 at ice-9/boot-9.scm:4045:3 ()>]
1724: 14 [%start-stack load-stack #<procedure f5bc00 at
ice-9/boot-9.scm:4041:10 ()>]
1729: 13 [#<procedure f5fea0 ()>]
In unknown file:
?: 12 [primitive-load
"/gnu/store/1g2ygiq4z0b5snnwmddfks4flnippna6-guix-0.10.0-0.e901/bin/.guix-real"]
In guix/ui.scm:
1209: 11 [run-guix-command refresh]
In ice-9/boot-9.scm:
157: 10 [catch srfi-34 #<procedure 435c880 at guix/ui.scm:425:2 ()> ...]
157: 9 [catch system-error ...]
In guix/scripts/refresh.scm:
382: 8 [#<procedure 41dbc80 at guix/scripts/refresh.scm:381:4 ()>]
401: 7 [#<procedure 41dbc30 at guix/scripts/refresh.scm:382:6 ()>]
In srfi/srfi-1.scm:
616: 6 [for-each #<procedure 4361740 at
guix/scripts/refresh.scm:401:22 (package)> ...]
In guix/scripts/refresh.scm:
402: 5 [#<procedure 4361740 at guix/scripts/refresh.scm:401:22 (package)> #]
In guix/upstream.scm:
135: 4 [package-update-path # #]
In ice-9/boot-9.scm:
157: 3 [catch srfi-34 #<procedure 3531c00 at
guix/import/pypi.scm:313:2 ()> ...]
In guix/import/pypi.scm:
317: 2 [#<procedure 3531c00 at guix/import/pypi.scm:313:2 ()>]
68: 1 [latest-source-release #f]
In unknown file:
?: 0 [find #<procedure 1cf5ce0 at guix/import/pypi.scm:68:14 (release)> #f]
ERROR: In procedure find:
ERROR: In procedure find: Wrong type argument in position 2 (expecting list): #f
#####################################################################
What did I do wrong ?
--
Vincent Legoll
Information forwarded
to
bug-guix <at> gnu.org
:
bug#23971
; Package
guix
.
(Thu, 14 Jul 2016 18:37:01 GMT)
Full text and
rfc822 format available.
Message #16 received at 23971-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Thu, Jul 14, 2016 at 12:25:57PM +0200, Vincent Legoll wrote:
> > Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d.
> >
> > The ‘shell’ field was omitted from the definition of “nobody”, which is
> > why it ended up using Bash, which is the default shell.
>
> Thanks the fix looks good, but I tried with guix system reconfigure
> after guix pull
> That does not change /etc/passwd
>
> I tried guix refresh, but got that bt:
>
> #####################################################################
> Backtrace:
> In unknown file:
> ?: 19 [apply-smob/1 #<catch-closure f2b7a0>]
> In ice-9/boot-9.scm:
> 63: 18 [call-with-prompt prompt0 ...]
> In ice-9/eval.scm:
> 432: 17 [eval # #]
> In ice-9/boot-9.scm:
> 2401: 16 [save-module-excursion #<procedure f48940 at
> ice-9/boot-9.scm:4045:3 ()>]
> 4050: 15 [#<procedure f48940 at ice-9/boot-9.scm:4045:3 ()>]
> 1724: 14 [%start-stack load-stack #<procedure f5bc00 at
> ice-9/boot-9.scm:4041:10 ()>]
> 1729: 13 [#<procedure f5fea0 ()>]
> In unknown file:
> ?: 12 [primitive-load
> "/gnu/store/1g2ygiq4z0b5snnwmddfks4flnippna6-guix-0.10.0-0.e901/bin/.guix-real"]
> In guix/ui.scm:
> 1209: 11 [run-guix-command refresh]
> In ice-9/boot-9.scm:
> 157: 10 [catch srfi-34 #<procedure 435c880 at guix/ui.scm:425:2 ()> ...]
> 157: 9 [catch system-error ...]
> In guix/scripts/refresh.scm:
> 382: 8 [#<procedure 41dbc80 at guix/scripts/refresh.scm:381:4 ()>]
> 401: 7 [#<procedure 41dbc30 at guix/scripts/refresh.scm:382:6 ()>]
> In srfi/srfi-1.scm:
> 616: 6 [for-each #<procedure 4361740 at
> guix/scripts/refresh.scm:401:22 (package)> ...]
> In guix/scripts/refresh.scm:
> 402: 5 [#<procedure 4361740 at guix/scripts/refresh.scm:401:22 (package)> #]
> In guix/upstream.scm:
> 135: 4 [package-update-path # #]
> In ice-9/boot-9.scm:
> 157: 3 [catch srfi-34 #<procedure 3531c00 at
> guix/import/pypi.scm:313:2 ()> ...]
> In guix/import/pypi.scm:
> 317: 2 [#<procedure 3531c00 at guix/import/pypi.scm:313:2 ()>]
> 68: 1 [latest-source-release #f]
> In unknown file:
> ?: 0 [find #<procedure 1cf5ce0 at guix/import/pypi.scm:68:14 (release)> #f]
>
> ERROR: In procedure find:
> ERROR: In procedure find: Wrong type argument in position 2 (expecting list): #f
> #####################################################################
>
> What did I do wrong ?
>
> --
> Vincent Legoll
>
`guix refresh' checks upstream for newer releases of software than
what Guix currently knows, so here it was checking for newer software
from pypi, which hasn't been updated since pypi changed their uri
scheme.
--
Efraim Flashner <efraim <at> flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#23971
; Package
guix
.
(Thu, 14 Jul 2016 20:11:01 GMT)
Full text and
rfc822 format available.
Message #19 received at 23971-done <at> debbugs.gnu.org (full text, mbox):
On Thu, Jul 14, 2016 at 12:25:57PM +0200, Vincent Legoll wrote:
> > Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d.
> >
> > The ‘shell’ field was omitted from the definition of “nobody”, which is
> > why it ended up using Bash, which is the default shell.
>
> Thanks the fix looks good, but I tried with guix system reconfigure
> after guix pull
> That does not change /etc/passwd
I've noticed that certain changes to my own user require reboot.
Others, which involve bringing previously non-Guix controlled user
parameters under control of Guix, seemed to require me to remove the
user from my system configuration, reconfigure, and then re-add the
user. I'm not sure what nobody's GuixSD user configuration would look
like.
Neither is a good solution, but could you try them out?
Information forwarded
to
bug-guix <at> gnu.org
:
bug#23971
; Package
guix
.
(Fri, 15 Jul 2016 07:31:01 GMT)
Full text and
rfc822 format available.
Message #22 received at 23971-done <at> debbugs.gnu.org (full text, mbox):
Thanks efraim, I should have RTFM more on guix refresh, I guess...
Leo, yes I'll try reboot to see if it makes any difference, and then
remove the user if that don't do it. And report here.
On Thu, Jul 14, 2016 at 10:10 PM, Leo Famulari <leo <at> famulari.name> wrote:
> On Thu, Jul 14, 2016 at 12:25:57PM +0200, Vincent Legoll wrote:
>> > Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d.
>> >
>> > The ‘shell’ field was omitted from the definition of “nobody”, which is
>> > why it ended up using Bash, which is the default shell.
>>
>> Thanks the fix looks good, but I tried with guix system reconfigure
>> after guix pull
>> That does not change /etc/passwd
>
> I've noticed that certain changes to my own user require reboot.
>
> Others, which involve bringing previously non-Guix controlled user
> parameters under control of Guix, seemed to require me to remove the
> user from my system configuration, reconfigure, and then re-add the
> user. I'm not sure what nobody's GuixSD user configuration would look
> like.
>
> Neither is a good solution, but could you try them out?
--
Vincent Legoll
Information forwarded
to
bug-guix <at> gnu.org
:
bug#23971
; Package
guix
.
(Fri, 15 Jul 2016 13:05:02 GMT)
Full text and
rfc822 format available.
Message #25 received at 23971-done <at> debbugs.gnu.org (full text, mbox):
Vincent Legoll <vincent.legoll <at> gmail.com> skribis:
>> Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d.
>>
>> The ‘shell’ field was omitted from the definition of “nobody”, which is
>> why it ended up using Bash, which is the default shell.
>
> Thanks the fix looks good, but I tried with guix system reconfigure
> after guix pull
> That does not change /etc/passwd
It does change /etc/passwd (specifically, this is done in ‘modify-user’
in activation.scm, which is itself run from the activation script of the
new system that ‘guix system reconfigure’ runs; note that this changes
the shell but leaves the home directory unchanged, see the comment in
there.)
Could it be that you did not run ‘guix pull’ as root? Remember that
‘guix pull’ is per-user:
https://www.gnu.org/software/guix/manual/html_node/Invoking-guix-pull.html
HTH,
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#23971
; Package
guix
.
(Sat, 23 Jul 2016 06:49:02 GMT)
Full text and
rfc822 format available.
Message #28 received at 23971-done <at> debbugs.gnu.org (full text, mbox):
On Fri, Jul 15, 2016 at 3:03 PM, Ludovic Courtès <ludo <at> gnu.org> wrote:
> Vincent Legoll <vincent.legoll <at> gmail.com> skribis:
>
>>> Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d.
>>>
>>> The ‘shell’ field was omitted from the definition of “nobody”, which is
>>> why it ended up using Bash, which is the default shell.
>>
>> Thanks the fix looks good, but I tried with guix system reconfigure
>> after guix pull
>> That does not change /etc/passwd
>
> It does change /etc/passwd (specifically, this is done in ‘modify-user’
> in activation.scm, which is itself run from the activation script of the
> new system that ‘guix system reconfigure’ runs; note that this changes
> the shell but leaves the home directory unchanged, see the comment in
> there.)
>
> Could it be that you did not run ‘guix pull’ as root? Remember that
> ‘guix pull’ is per-user:
Yep, that was probably the case.
I tested in a new VM (from scratch) 0.10.0 usb install
- initially: /var/empy + bash
- guix pull + reconfigure : usermod: change shell to nologin, but home
dir stayed the same
- delete user nobody + guix system reconfigure: user nobody is back,
with /nonexistent home dir
So this looks like it is fixed, and next usb install should be good
from 1st day...
--
Vincent Legoll
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Sat, 20 Aug 2016 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 7 years and 223 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.