Re: usrmerge breaks POSIX
Thorsten Glaser <tg@mirbsd.de> writes:
> Dixi quod…
>> Russ Allbery dixit:
>>> My guess is that pkexec is calling realpath to canonicalize the path
>>> before checking for it in /etc/shells, although I have not confirmed
>>> this.
>> Now that would be weird and should be fixed…
> Another question that probably should be answered first is that why
> pkexec (whatever that is) checks against /etc/shells and if that’s
> correct.
Okay, I have done more research. My speculation that pkexec might use
realpath was wrong. It does only check the contents of the SHELL
environment variable. See:
https://gitlab.freedesktop.org/polkit/polkit/-/blob/master/src/programs/pkexec.c?ref_type=heads#L343
https://gitlab.freedesktop.org/polkit/polkit/-/blob/master/src/programs/pkexec.c?ref_type=heads#L405
It does check whether $SHELL is found in /etc/shells. So your question
about what is setting the $SHELL variable is a good one, although I think
I would still argue that it's not the most effective way to solve the
issue.
> I’d be really appreciative if I did not have to add extra nōn-canonical
> paths to /etc/shells for bugs in unrelated software.
I understand the appeal of that stance, but the problem with it is that
there is no enforcement of this definition of canonical. I know that you
consider /bin/mksh to be the correct path, but /usr/bin/mksh is also
present and works exactly the same. chsh will prevent unprivileged users
from changing their shell to the /usr/bin path because of /etc/shells, but
not if someone makes that change as root. Also, I'm not sure useradd
cares, or possibly other ways of adding a user with a shell (Puppet, for
instance). Or, for that matter, just editing /etc/passwd as root, which I
admit is how I usually set the shells of users because I've been using
UNIX for too long.
Having only the /bin paths is fragile because it creates an expectation
that every user who sets the shell is going to know that /bin/mksh is the
correct path and /usr/bin/mksh is the wrong path and will not use the
latter. I'm not sure how they're supposed to receive this information; I
don't think it's going to be obvious to everyone who may be involved in
setting the shell. We can tell everyone who ends up with /usr/bin/mksh
that they need to change it to /bin/mksh, but this seems kind of tedious
and annoying, and I'm not seeing the downside to registering both paths.
--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>
Reply to: