GNU bug report logs - #23971
Nobody has a shell

Previous Next

Package: guix;

Reported by: Vincent Legoll <vincent.legoll <at> gmail.com>

Date: Wed, 13 Jul 2016 13:07:03 UTC

Severity: normal

Done: ludo <at> gnu.org (Ludovic Courtès)

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 23971 in the body.
You can then email your comments to 23971 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-guix <at> gnu.org:
bug#23971; Package guix. (Wed, 13 Jul 2016 13:07:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Vincent Legoll <vincent.legoll <at> gmail.com>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Wed, 13 Jul 2016 13:07:03 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Vincent Legoll <vincent.legoll <at> gmail.com>
To: bug-guix <at> gnu.org
Subject: Nobody has a shell
Date: Wed, 13 Jul 2016 12:10:18 +0200
vince <at> guixsd ~/guix-packages$ grep nobody /etc/passwd
nobody:x:65534:997::/var/empty:/gnu/store/7cdd8s466qyjh64m0byq0rz9gk1jid40-bash-4.3.42/bin/bash

On my debian, this user is left out the door:

$ grep nobody /etc/passwd
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

Even its HOME directory is non existent, purposedly...

Is this not a security risk (greater attack surface) or something like that ?

-- 
Vincent Legoll




Reply sent to ludo <at> gnu.org (Ludovic Courtès):
You have taken responsibility. (Wed, 13 Jul 2016 22:02:01 GMT) Full text and rfc822 format available.

Notification sent to Vincent Legoll <vincent.legoll <at> gmail.com>:
bug acknowledged by developer. (Wed, 13 Jul 2016 22:02:02 GMT) Full text and rfc822 format available.

Message #10 received at 23971-done <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Vincent Legoll <vincent.legoll <at> gmail.com>
Cc: 23971-done <at> debbugs.gnu.org
Subject: Re: bug#23971: Nobody has a shell
Date: Thu, 14 Jul 2016 00:01:40 +0200
Vincent Legoll <vincent.legoll <at> gmail.com> skribis:

> vince <at> guixsd ~/guix-packages$ grep nobody /etc/passwd
> nobody:x:65534:997::/var/empty:/gnu/store/7cdd8s466qyjh64m0byq0rz9gk1jid40-bash-4.3.42/bin/bash
>
> On my debian, this user is left out the door:
>
> $ grep nobody /etc/passwd
> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
>
> Even its HOME directory is non existent, purposedly...

Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d.

The ‘shell’ field was omitted from the definition of “nobody”, which is
why it ended up using Bash, which is the default shell.

Thanks!

Ludo’.




Information forwarded to bug-guix <at> gnu.org:
bug#23971; Package guix. (Thu, 14 Jul 2016 10:27:02 GMT) Full text and rfc822 format available.

Message #13 received at 23971-done <at> debbugs.gnu.org (full text, mbox):

From: Vincent Legoll <vincent.legoll <at> gmail.com>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 23971-done <at> debbugs.gnu.org
Subject: Re: bug#23971: Nobody has a shell
Date: Thu, 14 Jul 2016 12:25:57 +0200
> Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d.
>
> The ‘shell’ field was omitted from the definition of “nobody”, which is
> why it ended up using Bash, which is the default shell.

Thanks the fix looks good, but I tried with guix system reconfigure
after guix pull
That does not change /etc/passwd

I tried guix refresh, but got that bt:

#####################################################################
Backtrace:
In unknown file:
   ?: 19 [apply-smob/1 #<catch-closure f2b7a0>]
In ice-9/boot-9.scm:
  63: 18 [call-with-prompt prompt0 ...]
In ice-9/eval.scm:
 432: 17 [eval # #]
In ice-9/boot-9.scm:
2401: 16 [save-module-excursion #<procedure f48940 at
ice-9/boot-9.scm:4045:3 ()>]
4050: 15 [#<procedure f48940 at ice-9/boot-9.scm:4045:3 ()>]
1724: 14 [%start-stack load-stack #<procedure f5bc00 at
ice-9/boot-9.scm:4041:10 ()>]
1729: 13 [#<procedure f5fea0 ()>]
In unknown file:
   ?: 12 [primitive-load
"/gnu/store/1g2ygiq4z0b5snnwmddfks4flnippna6-guix-0.10.0-0.e901/bin/.guix-real"]
In guix/ui.scm:
1209: 11 [run-guix-command refresh]
In ice-9/boot-9.scm:
 157: 10 [catch srfi-34 #<procedure 435c880 at guix/ui.scm:425:2 ()> ...]
 157: 9 [catch system-error ...]
In guix/scripts/refresh.scm:
 382: 8 [#<procedure 41dbc80 at guix/scripts/refresh.scm:381:4 ()>]
 401: 7 [#<procedure 41dbc30 at guix/scripts/refresh.scm:382:6 ()>]
In srfi/srfi-1.scm:
 616: 6 [for-each #<procedure 4361740 at
guix/scripts/refresh.scm:401:22 (package)> ...]
In guix/scripts/refresh.scm:
 402: 5 [#<procedure 4361740 at guix/scripts/refresh.scm:401:22 (package)> #]
In guix/upstream.scm:
 135: 4 [package-update-path # #]
In ice-9/boot-9.scm:
 157: 3 [catch srfi-34 #<procedure 3531c00 at
guix/import/pypi.scm:313:2 ()> ...]
In guix/import/pypi.scm:
 317: 2 [#<procedure 3531c00 at guix/import/pypi.scm:313:2 ()>]
  68: 1 [latest-source-release #f]
In unknown file:
   ?: 0 [find #<procedure 1cf5ce0 at guix/import/pypi.scm:68:14 (release)> #f]

ERROR: In procedure find:
ERROR: In procedure find: Wrong type argument in position 2 (expecting list): #f
#####################################################################

What did I do wrong ?

-- 
Vincent Legoll




Information forwarded to bug-guix <at> gnu.org:
bug#23971; Package guix. (Thu, 14 Jul 2016 18:37:01 GMT) Full text and rfc822 format available.

Message #16 received at 23971-done <at> debbugs.gnu.org (full text, mbox):

From: Efraim Flashner <efraim <at> flashner.co.il>
To: Vincent Legoll <vincent.legoll <at> gmail.com>
Cc: Ludovic Courtès <ludo <at> gnu.org>, 23971-done <at> debbugs.gnu.org
Subject: Re: bug#23971: Nobody has a shell
Date: Thu, 14 Jul 2016 21:36:43 +0300
[Message part 1 (text/plain, inline)]
On Thu, Jul 14, 2016 at 12:25:57PM +0200, Vincent Legoll wrote:
> > Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d.
> >
> > The ‘shell’ field was omitted from the definition of “nobody”, which is
> > why it ended up using Bash, which is the default shell.
> 
> Thanks the fix looks good, but I tried with guix system reconfigure
> after guix pull
> That does not change /etc/passwd
> 
> I tried guix refresh, but got that bt:
> 
> #####################################################################
> Backtrace:
> In unknown file:
>    ?: 19 [apply-smob/1 #<catch-closure f2b7a0>]
> In ice-9/boot-9.scm:
>   63: 18 [call-with-prompt prompt0 ...]
> In ice-9/eval.scm:
>  432: 17 [eval # #]
> In ice-9/boot-9.scm:
> 2401: 16 [save-module-excursion #<procedure f48940 at
> ice-9/boot-9.scm:4045:3 ()>]
> 4050: 15 [#<procedure f48940 at ice-9/boot-9.scm:4045:3 ()>]
> 1724: 14 [%start-stack load-stack #<procedure f5bc00 at
> ice-9/boot-9.scm:4041:10 ()>]
> 1729: 13 [#<procedure f5fea0 ()>]
> In unknown file:
>    ?: 12 [primitive-load
> "/gnu/store/1g2ygiq4z0b5snnwmddfks4flnippna6-guix-0.10.0-0.e901/bin/.guix-real"]
> In guix/ui.scm:
> 1209: 11 [run-guix-command refresh]
> In ice-9/boot-9.scm:
>  157: 10 [catch srfi-34 #<procedure 435c880 at guix/ui.scm:425:2 ()> ...]
>  157: 9 [catch system-error ...]
> In guix/scripts/refresh.scm:
>  382: 8 [#<procedure 41dbc80 at guix/scripts/refresh.scm:381:4 ()>]
>  401: 7 [#<procedure 41dbc30 at guix/scripts/refresh.scm:382:6 ()>]
> In srfi/srfi-1.scm:
>  616: 6 [for-each #<procedure 4361740 at
> guix/scripts/refresh.scm:401:22 (package)> ...]
> In guix/scripts/refresh.scm:
>  402: 5 [#<procedure 4361740 at guix/scripts/refresh.scm:401:22 (package)> #]
> In guix/upstream.scm:
>  135: 4 [package-update-path # #]
> In ice-9/boot-9.scm:
>  157: 3 [catch srfi-34 #<procedure 3531c00 at
> guix/import/pypi.scm:313:2 ()> ...]
> In guix/import/pypi.scm:
>  317: 2 [#<procedure 3531c00 at guix/import/pypi.scm:313:2 ()>]
>   68: 1 [latest-source-release #f]
> In unknown file:
>    ?: 0 [find #<procedure 1cf5ce0 at guix/import/pypi.scm:68:14 (release)> #f]
> 
> ERROR: In procedure find:
> ERROR: In procedure find: Wrong type argument in position 2 (expecting list): #f
> #####################################################################
> 
> What did I do wrong ?
> 
> -- 
> Vincent Legoll
> 

`guix refresh' checks upstream for newer releases of software than
what Guix currently knows, so here it was checking for newer software
from pypi, which hasn't been updated since pypi changed their uri
scheme.

-- 
Efraim Flashner   <efraim <at> flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#23971; Package guix. (Thu, 14 Jul 2016 20:11:01 GMT) Full text and rfc822 format available.

Message #19 received at 23971-done <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Vincent Legoll <vincent.legoll <at> gmail.com>
Cc: Ludovic Courtès <ludo <at> gnu.org>,
 23971-done <at> debbugs.gnu.org
Subject: Re: bug#23971: Nobody has a shell
Date: Thu, 14 Jul 2016 16:10:24 -0400
On Thu, Jul 14, 2016 at 12:25:57PM +0200, Vincent Legoll wrote:
> > Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d.
> >
> > The ‘shell’ field was omitted from the definition of “nobody”, which is
> > why it ended up using Bash, which is the default shell.
> 
> Thanks the fix looks good, but I tried with guix system reconfigure
> after guix pull
> That does not change /etc/passwd

I've noticed that certain changes to my own user require reboot.

Others, which involve bringing previously non-Guix controlled user
parameters under control of Guix, seemed to require me to remove the
user from my system configuration, reconfigure, and then re-add the
user. I'm not sure what nobody's GuixSD user configuration would look
like.

Neither is a good solution, but could you try them out?




Information forwarded to bug-guix <at> gnu.org:
bug#23971; Package guix. (Fri, 15 Jul 2016 07:31:01 GMT) Full text and rfc822 format available.

Message #22 received at 23971-done <at> debbugs.gnu.org (full text, mbox):

From: Vincent Legoll <vincent.legoll <at> gmail.com>
To: Leo Famulari <leo <at> famulari.name>
Cc: Ludovic Courtès <ludo <at> gnu.org>, 23971-done <at> debbugs.gnu.org
Subject: Re: bug#23971: Nobody has a shell
Date: Fri, 15 Jul 2016 09:30:38 +0200
Thanks efraim, I should have RTFM more on guix refresh, I guess...

Leo, yes I'll try reboot to see if it makes any difference, and then
remove the user if that don't do it. And report here.

On Thu, Jul 14, 2016 at 10:10 PM, Leo Famulari <leo <at> famulari.name> wrote:
> On Thu, Jul 14, 2016 at 12:25:57PM +0200, Vincent Legoll wrote:
>> > Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d.
>> >
>> > The ‘shell’ field was omitted from the definition of “nobody”, which is
>> > why it ended up using Bash, which is the default shell.
>>
>> Thanks the fix looks good, but I tried with guix system reconfigure
>> after guix pull
>> That does not change /etc/passwd
>
> I've noticed that certain changes to my own user require reboot.
>
> Others, which involve bringing previously non-Guix controlled user
> parameters under control of Guix, seemed to require me to remove the
> user from my system configuration, reconfigure, and then re-add the
> user. I'm not sure what nobody's GuixSD user configuration would look
> like.
>
> Neither is a good solution, but could you try them out?



-- 
Vincent Legoll




Information forwarded to bug-guix <at> gnu.org:
bug#23971; Package guix. (Fri, 15 Jul 2016 13:05:02 GMT) Full text and rfc822 format available.

Message #25 received at 23971-done <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Vincent Legoll <vincent.legoll <at> gmail.com>
Cc: 23971-done <at> debbugs.gnu.org
Subject: Re: bug#23971: Nobody has a shell
Date: Fri, 15 Jul 2016 15:03:49 +0200
Vincent Legoll <vincent.legoll <at> gmail.com> skribis:

>> Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d.
>>
>> The ‘shell’ field was omitted from the definition of “nobody”, which is
>> why it ended up using Bash, which is the default shell.
>
> Thanks the fix looks good, but I tried with guix system reconfigure
> after guix pull
> That does not change /etc/passwd

It does change /etc/passwd (specifically, this is done in ‘modify-user’
in activation.scm, which is itself run from the activation script of the
new system that ‘guix system reconfigure’ runs; note that this changes
the shell but leaves the home directory unchanged, see the comment in
there.)

Could it be that you did not run ‘guix pull’ as root?  Remember that
‘guix pull’ is per-user:

  https://www.gnu.org/software/guix/manual/html_node/Invoking-guix-pull.html

HTH,
Ludo’.




Information forwarded to bug-guix <at> gnu.org:
bug#23971; Package guix. (Sat, 23 Jul 2016 06:49:02 GMT) Full text and rfc822 format available.

Message #28 received at 23971-done <at> debbugs.gnu.org (full text, mbox):

From: Vincent Legoll <vincent.legoll <at> gmail.com>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 23971-done <at> debbugs.gnu.org
Subject: Re: bug#23971: Nobody has a shell
Date: Sat, 23 Jul 2016 08:48:12 +0200
On Fri, Jul 15, 2016 at 3:03 PM, Ludovic Courtès <ludo <at> gnu.org> wrote:
> Vincent Legoll <vincent.legoll <at> gmail.com> skribis:
>
>>> Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d.
>>>
>>> The ‘shell’ field was omitted from the definition of “nobody”, which is
>>> why it ended up using Bash, which is the default shell.
>>
>> Thanks the fix looks good, but I tried with guix system reconfigure
>> after guix pull
>> That does not change /etc/passwd
>
> It does change /etc/passwd (specifically, this is done in ‘modify-user’
> in activation.scm, which is itself run from the activation script of the
> new system that ‘guix system reconfigure’ runs; note that this changes
> the shell but leaves the home directory unchanged, see the comment in
> there.)
>
> Could it be that you did not run ‘guix pull’ as root?  Remember that
> ‘guix pull’ is per-user:

Yep, that was probably the case.

I tested in a new VM (from scratch) 0.10.0 usb install
- initially: /var/empy + bash
- guix pull + reconfigure : usermod: change shell to nologin, but home
dir stayed the same
- delete user nobody + guix system reconfigure: user nobody is back,
with /nonexistent home dir

So this looks like it is fixed, and next usb install should be good
from 1st day...

-- 
Vincent Legoll




bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sat, 20 Aug 2016 11:24:04 GMT) Full text and rfc822 format available.

This bug report was last modified 7 years and 223 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.