Re: usrmerge breaks POSIX

To: debian-devel@lists.debian.org
Cc: Thorsten Glaser <tg@mirbsd.de>
Subject: Re: usrmerge breaks POSIX
From: Russ Allbery <rra@debian.org>
Date: Thu, 15 Feb 2024 09:00:57 -0800
Message-id: <[🔎] 87sf1t64s6.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 20240215090811.GA678604@cventin.lip.ens-lyon.fr> (Vincent Lefevre's message of "Thu, 15 Feb 2024 10:08:11 +0100")
References: <[🔎] 20240214172047.GA610049@cventin.lip.ens-lyon.fr> <[🔎] 87jzn6oplj.fsf@hope.eyrie.org> <[🔎] 20240214230259.GA357688@qaa.vinc17.org> <[🔎] 87a5o2o7bs.fsf@hope.eyrie.org> <[🔎] 20240215090811.GA678604@cventin.lip.ens-lyon.fr>

Vincent Lefevre <vincent@vinc17.net> writes:
> On 2024-02-14 17:16:23 -0800, Russ Allbery wrote:

> Quoting https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=817168

> | with usrmerge, some programs - such as pkexec, or LEAP's bitmask
> | on top of that- fails to run. Specifically, the error I get is:
> |
> | The value for the SHELL variable was not found the /etc/shells file

>> You mentioned /etc/shells in your previous message, but /etc/shells on my
>> system contains both the /usr/bin and the /bin paths, so I'm still at a
>> complete loss.

> Not for mksh.

Okay, thank you.  I think I understand now.  The problem is:

1. mksh uses custom postinst code to add itself to /etc/shells that does
   not add the /usr/bin versions of the mksh paths, only the /bin
   versions.

2. pkexec uses /etc/shells as an authorization mechanism to not allow
   access from people who use restricted shells, so if it detects your
   shell as /usr/bin/mksh instead of the (expected by /etc/shells)
   /bin/mksh path, it will deny access.

3. Something else that I don't yet understand happened that caused pkexec
   to detect the shell as /usr/bin/mksh instead of /bin/mksh.  I'm not
   sure what this is, but I can guess at a few things that could cause
   this, so it's not surprising to me that it happened.

That pkexec uses /etc/shells in this way is a bit surprising, but I
understand the goal.  The intent is to keep people who are using
restricted shells from accessing pkexec.  I'm not sure this is the best
way to achieve that security goal, but I can also see the potential for
introducing security vulnerabilities in existing systems if we relaxed
them now.

I think the obvious solution is to ensure that both the /bin and /usr/bin
paths for mksh are registered in /etc/shells.  In other words, I think we
have a missing usrmerge-related transition here that we should just fix.
I'm copying Thorsten on this message in case he hasn't noticed this
thread, but if I were you I'd just file a bug against mksh asking for the
/usr/bin paths to also be added to /etc/shells to match the new behavior
of add-shell.

Hopefully most shells are using add-shell, and thus won't have this
problem, but any other shell package in Debian that is intended to provide
a non-restricted shell but is not using add-shell to manipulate
/etc/shells will need a similar fix.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: usrmerge breaks POSIX
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: usrmerge breaks POSIX
  - From: Thorsten Glaser <tg@mirbsd.de>

References:
- usrmerge breaks POSIX
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: usrmerge breaks POSIX
  - From: Russ Allbery <rra@debian.org>
- Re: usrmerge breaks POSIX
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: usrmerge breaks POSIX
  - From: Russ Allbery <rra@debian.org>
- Re: usrmerge breaks POSIX
  - From: Vincent Lefevre <vincent@vinc17.net>

Prev by Date: Re: usrmerge breaks POSIX
Next by Date: Re: usrmerge breaks POSIX
Previous by thread: Re: usrmerge breaks POSIX
Next by thread: Re: usrmerge breaks POSIX
Index(es):
- Date
- Thread