Re: usrmerge breaks POSIX

To: debian-devel@lists.debian.org
Subject: Re: usrmerge breaks POSIX
From: Russ Allbery <rra@debian.org>
Date: Thu, 15 Feb 2024 16:30:25 -0800
Message-id: <[🔎] 87v86p45em.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 87zfw145zd.fsf@hope.eyrie.org> (Russ Allbery's message of "Thu, 15 Feb 2024 16:17:58 -0800")
References: <[🔎] 87a5o2o7bs.fsf@hope.eyrie.org> <[🔎] 20240215090811.GA678604@cventin.lip.ens-lyon.fr> <[🔎] 87sf1t64s6.fsf@hope.eyrie.org> <[🔎] Pine.BSM.4.64L.2402151717340.5685@herc.mirbsd.org> <[🔎] 87o7ch62r1.fsf@hope.eyrie.org> <[🔎] Pine.BSM.4.64L.2402151822410.5685@herc.mirbsd.org> <[🔎] Pine.BSM.4.64L.2402151842170.5685@herc.mirbsd.org> <[🔎] 87eddd5vkq.fsf@hope.eyrie.org> <[🔎] Pine.BSM.4.64L.2402152141210.5685@herc.mirbsd.org> <[🔎] 877cj55q95.fsf@hope.eyrie.org> <[🔎] 20240215233006.GB5687@qaa.vinc17.org> <[🔎] 87zfw145zd.fsf@hope.eyrie.org>

Russ Allbery <rra@debian.org> writes:

> That definitely should not be the case and any restricted shell that adds
> itself to /etc/shells is buggy.  See chsh(1):

>     The only restriction placed on the login shell is that the command
>     name must be listed in /etc/shells, unless the invoker is the
>     superuser, and then any value may be added. An account with a
>     restricted login shell may not change her login shell. For this
>     reason, placing /bin/rsh in /etc/shells is discouraged since
>     accidentally changing to a restricted shell would prevent the user
>     from ever changing her login shell back to its original value.

To follow up on this, currently rbash is added to /etc/shells, which is
surprising to me and which I assume is what you were referring to.  This
seems directly contrary to the chsh advice.  I can't find a reference to
this in bash's changelog and am not sure the reasons for this, though, so
presumably I'm missing something.

I was only able to find this discussion of why pkexec checks $SHELL, and
it doesn't support my assumption that it was an intentional security
measure, so I may well be wrong in that part of my analysis.  Apologies
for that; I clearly should have done more research.  git blame points to a
commit that only references this thread:

https://lists.freedesktop.org/archives/polkit-devel/2009-December/000282.html

which seems to imply that this was done to match sudo behavior and because
the author believed this was the right way to validate the SHELL setting.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: usrmerge breaks POSIX
  - From: Vincent Lefevre <vincent@vinc17.net>

References:
- Re: usrmerge breaks POSIX
  - From: Russ Allbery <rra@debian.org>
- Re: usrmerge breaks POSIX
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: usrmerge breaks POSIX
  - From: Russ Allbery <rra@debian.org>
- Re: usrmerge breaks POSIX
  - From: Thorsten Glaser <tg@mirbsd.de>
- Re: usrmerge breaks POSIX
  - From: Russ Allbery <rra@debian.org>
- Re: usrmerge breaks POSIX
  - From: Thorsten Glaser <tg@mirbsd.de>
- Re: usrmerge breaks POSIX
  - From: Thorsten Glaser <tg@mirbsd.de>
- Re: usrmerge breaks POSIX
  - From: Russ Allbery <rra@debian.org>
- Re: usrmerge breaks POSIX
  - From: Thorsten Glaser <tg@mirbsd.de>
- Re: usrmerge breaks POSIX
  - From: Russ Allbery <rra@debian.org>
- Re: usrmerge breaks POSIX
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: usrmerge breaks POSIX
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: usrmerge breaks POSIX
Next by Date: Bug#1064033: ITP: asn -- network OSINT CLI ASN, RPKI, BGP, Geo, Recon, Trace
Previous by thread: Re: usrmerge breaks POSIX
Next by thread: Re: usrmerge breaks POSIX
Index(es):
- Date
- Thread