Nobody has a shell

  • Done
  • quality assurance status badge
Details
4 participants
  • Efraim Flashner
  • Leo Famulari
  • Ludovic Courtès
  • Vincent Legoll
Owner
unassigned
Submitted by
Vincent Legoll
Severity
normal
V
V
Vincent Legoll wrote on 13 Jul 2016 12:10
(address . bug-guix@gnu.org)
CAEwRq=p6rqdjAVc6xU24Rhn9cWVXOzF-44SOuL0naxj+Rr2X_Q@mail.gmail.com
vince@guixsd ~/guix-packages$ grep nobody /etc/passwd
nobody:x:65534:997::/var/empty:/gnu/store/7cdd8s466qyjh64m0byq0rz9gk1jid40-bash-4.3.42/bin/bash

On my debian, this user is left out the door:

$ grep nobody /etc/passwd
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

Even its HOME directory is non existent, purposedly...

Is this not a security risk (greater attack surface) or something like that ?

--
Vincent Legoll
L
L
Ludovic Courtès wrote on 14 Jul 2016 00:01
(name . Vincent Legoll)(address . vincent.legoll@gmail.com)(address . 23971-done@debbugs.gnu.org)
874m7tjiyj.fsf@gnu.org
Vincent Legoll <vincent.legoll@gmail.com> skribis:

Toggle quote (10 lines)
> vince@guixsd ~/guix-packages$ grep nobody /etc/passwd
> nobody:x:65534:997::/var/empty:/gnu/store/7cdd8s466qyjh64m0byq0rz9gk1jid40-bash-4.3.42/bin/bash
>
> On my debian, this user is left out the door:
>
> $ grep nobody /etc/passwd
> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
>
> Even its HOME directory is non existent, purposedly...

Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d.

The ‘shell’ field was omitted from the definition of “nobody”, which is
why it ended up using Bash, which is the default shell.

Thanks!

Ludo’.
Closed
V
V
Vincent Legoll wrote on 14 Jul 2016 12:25
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 23971-done@debbugs.gnu.org)
CAEwRq=q_PvjZHbzB07k0Me34Yyxr9WCbUjLCLySxG9TNxm_Hsg@mail.gmail.com
Toggle quote (5 lines)
> Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d.
>
> The ‘shell’ field was omitted from the definition of “nobody”, which is
> why it ended up using Bash, which is the default shell.

Thanks the fix looks good, but I tried with guix system reconfigure
after guix pull
That does not change /etc/passwd

I tried guix refresh, but got that bt:

#####################################################################
Backtrace:
In unknown file:
?: 19 [apply-smob/1 #<catch-closure f2b7a0>]
In ice-9/boot-9.scm:
63: 18 [call-with-prompt prompt0 ...]
In ice-9/eval.scm:
432: 17 [eval # #]
In ice-9/boot-9.scm:
2401: 16 [save-module-excursion #<procedure f48940 at
ice-9/boot-9.scm:4045:3 ()>]
4050: 15 [#<procedure f48940 at ice-9/boot-9.scm:4045:3 ()>]
1724: 14 [%start-stack load-stack #<procedure f5bc00 at
ice-9/boot-9.scm:4041:10 ()>]
1729: 13 [#<procedure f5fea0 ()>]
In unknown file:
?: 12 [primitive-load
"/gnu/store/1g2ygiq4z0b5snnwmddfks4flnippna6-guix-0.10.0-0.e901/bin/.guix-real"]
In guix/ui.scm:
1209: 11 [run-guix-command refresh]
In ice-9/boot-9.scm:
157: 10 [catch srfi-34 #<procedure 435c880 at guix/ui.scm:425:2 ()> ...]
157: 9 [catch system-error ...]
In guix/scripts/refresh.scm:
382: 8 [#<procedure 41dbc80 at guix/scripts/refresh.scm:381:4 ()>]
401: 7 [#<procedure 41dbc30 at guix/scripts/refresh.scm:382:6 ()>]
In srfi/srfi-1.scm:
616: 6 [for-each #<procedure 4361740 at
guix/scripts/refresh.scm:401:22 (package)> ...]
In guix/scripts/refresh.scm:
402: 5 [#<procedure 4361740 at guix/scripts/refresh.scm:401:22 (package)> #]
In guix/upstream.scm:
135: 4 [package-update-path # #]
In ice-9/boot-9.scm:
157: 3 [catch srfi-34 #<procedure 3531c00 at
guix/import/pypi.scm:313:2 ()> ...]
In guix/import/pypi.scm:
317: 2 [#<procedure 3531c00 at guix/import/pypi.scm:313:2 ()>]
68: 1 [latest-source-release #f]
In unknown file:
?: 0 [find #<procedure 1cf5ce0 at guix/import/pypi.scm:68:14 (release)> #f]

ERROR: In procedure find:
ERROR: In procedure find: Wrong type argument in position 2 (expecting list): #f
#####################################################################

What did I do wrong ?

--
Vincent Legoll
Closed
E
E
Efraim Flashner wrote on 14 Jul 2016 20:36
(name . Vincent Legoll)(address . vincent.legoll@gmail.com)
20160714183643.GD11033@debian-netbook
On Thu, Jul 14, 2016 at 12:25:57PM +0200, Vincent Legoll wrote:
Toggle quote (63 lines)
> > Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d.
> >
> > The ‘shell’ field was omitted from the definition of “nobody”, which is
> > why it ended up using Bash, which is the default shell.
>
> Thanks the fix looks good, but I tried with guix system reconfigure
> after guix pull
> That does not change /etc/passwd
>
> I tried guix refresh, but got that bt:
>
> #####################################################################
> Backtrace:
> In unknown file:
> ?: 19 [apply-smob/1 #<catch-closure f2b7a0>]
> In ice-9/boot-9.scm:
> 63: 18 [call-with-prompt prompt0 ...]
> In ice-9/eval.scm:
> 432: 17 [eval # #]
> In ice-9/boot-9.scm:
> 2401: 16 [save-module-excursion #<procedure f48940 at
> ice-9/boot-9.scm:4045:3 ()>]
> 4050: 15 [#<procedure f48940 at ice-9/boot-9.scm:4045:3 ()>]
> 1724: 14 [%start-stack load-stack #<procedure f5bc00 at
> ice-9/boot-9.scm:4041:10 ()>]
> 1729: 13 [#<procedure f5fea0 ()>]
> In unknown file:
> ?: 12 [primitive-load
> "/gnu/store/1g2ygiq4z0b5snnwmddfks4flnippna6-guix-0.10.0-0.e901/bin/.guix-real"]
> In guix/ui.scm:
> 1209: 11 [run-guix-command refresh]
> In ice-9/boot-9.scm:
> 157: 10 [catch srfi-34 #<procedure 435c880 at guix/ui.scm:425:2 ()> ...]
> 157: 9 [catch system-error ...]
> In guix/scripts/refresh.scm:
> 382: 8 [#<procedure 41dbc80 at guix/scripts/refresh.scm:381:4 ()>]
> 401: 7 [#<procedure 41dbc30 at guix/scripts/refresh.scm:382:6 ()>]
> In srfi/srfi-1.scm:
> 616: 6 [for-each #<procedure 4361740 at
> guix/scripts/refresh.scm:401:22 (package)> ...]
> In guix/scripts/refresh.scm:
> 402: 5 [#<procedure 4361740 at guix/scripts/refresh.scm:401:22 (package)> #]
> In guix/upstream.scm:
> 135: 4 [package-update-path # #]
> In ice-9/boot-9.scm:
> 157: 3 [catch srfi-34 #<procedure 3531c00 at
> guix/import/pypi.scm:313:2 ()> ...]
> In guix/import/pypi.scm:
> 317: 2 [#<procedure 3531c00 at guix/import/pypi.scm:313:2 ()>]
> 68: 1 [latest-source-release #f]
> In unknown file:
> ?: 0 [find #<procedure 1cf5ce0 at guix/import/pypi.scm:68:14 (release)> #f]
>
> ERROR: In procedure find:
> ERROR: In procedure find: Wrong type argument in position 2 (expecting list): #f
> #####################################################################
>
> What did I do wrong ?
>
> --
> Vincent Legoll
>

`guix refresh' checks upstream for newer releases of software than
what Guix currently knows, so here it was checking for newer software
from pypi, which hasn't been updated since pypi changed their uri
scheme.

--
Efraim Flashner <efraim@flashner.co.il> ????? ?????
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJXh9u4AAoJEPTB05F+rO6T6Q8P/jdkcJGgkbWczt9DZ8WJ2nLa
nAWopA1dCfsrj3pCqWO/BMEZj3RMHI2/+eAxS9N/YoP1DYZpDih6J6O03OfM7lO1
ia+ZDyLCdFIEbT60Y7gJdCOSg8PfDBFPBD3o42tw7RK+I5BIsLM0yIncgFISp+eq
zhCT7/ftlNh/6eF8mIQbxP7BvWno6oiWbrWi49ONnEzzXVk4gXWVoUDWqrEqelvV
NpBrQU7H0sD75kMwWgQjvY0Ief8K1sF+eecMzmYU+Z/4MVb7K3oZSwhTf7iE19yt
dx9yjo/H26Lx0XuHYqUASpyMJ1R3wg9KC1G7sNXaWl25FSpY+CNw28hj66esAsB3
pqOhrSvO/Jh94qHKq1eDN4cCzFCANXeBmH/1EjYRyApP/0uEeB4OoExUx4GETq22
My3EQSo4uI0QWajhQ9ilYIk69nY7YQS8kxuM4CqE8SwecslcZ5RbiIU6WTX1iTPg
Q27HfaL+SiWAqSYYACbO9lwT60eGXVVpRonywG8Z2fulnYcFwHQ70s09XZsrZHcf
c5AJCMJZlCs6sIO24AESjnIkD8Ww4pExEJ8b9Lb2/XNj9VFo0ntF4b+cBcSf1fSx
9elxA/TnpxFlHIv9Asa6cZ4Ie6qcfrvrqNSp0hcY1KruR2Mwdubo5pn2lMiotGe7
owHh/q71z0/IlhUAKVkZ
=RRc7
-----END PGP SIGNATURE-----


Closed
L
L
Leo Famulari wrote on 14 Jul 2016 22:10
(name . Vincent Legoll)(address . vincent.legoll@gmail.com)
20160714201024.GA32471@jasmine
On Thu, Jul 14, 2016 at 12:25:57PM +0200, Vincent Legoll wrote:
Toggle quote (9 lines)
> > Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d.
> >
> > The ‘shell’ field was omitted from the definition of “nobody”, which is
> > why it ended up using Bash, which is the default shell.
>
> Thanks the fix looks good, but I tried with guix system reconfigure
> after guix pull
> That does not change /etc/passwd

I've noticed that certain changes to my own user require reboot.

Others, which involve bringing previously non-Guix controlled user
parameters under control of Guix, seemed to require me to remove the
user from my system configuration, reconfigure, and then re-add the
user. I'm not sure what nobody's GuixSD user configuration would look
like.

Neither is a good solution, but could you try them out?
Closed
V
V
Vincent Legoll wrote on 15 Jul 2016 09:30
(name . Leo Famulari)(address . leo@famulari.name)
CAEwRq=pDn9yM6zhVMWsSvOzphOjgabAW6Mbu1JT9wMSueWzN7Q@mail.gmail.com
Thanks efraim, I should have RTFM more on guix refresh, I guess...

Leo, yes I'll try reboot to see if it makes any difference, and then
remove the user if that don't do it. And report here.

On Thu, Jul 14, 2016 at 10:10 PM, Leo Famulari <leo@famulari.name> wrote:
Toggle quote (22 lines)
> On Thu, Jul 14, 2016 at 12:25:57PM +0200, Vincent Legoll wrote:
>> > Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d.
>> >
>> > The ‘shell’ field was omitted from the definition of “nobody”, which is
>> > why it ended up using Bash, which is the default shell.
>>
>> Thanks the fix looks good, but I tried with guix system reconfigure
>> after guix pull
>> That does not change /etc/passwd
>
> I've noticed that certain changes to my own user require reboot.
>
> Others, which involve bringing previously non-Guix controlled user
> parameters under control of Guix, seemed to require me to remove the
> user from my system configuration, reconfigure, and then re-add the
> user. I'm not sure what nobody's GuixSD user configuration would look
> like.
>
> Neither is a good solution, but could you try them out?



--
Vincent Legoll
Closed
L
L
Ludovic Courtès wrote on 15 Jul 2016 15:03
(name . Vincent Legoll)(address . vincent.legoll@gmail.com)(address . 23971-done@debbugs.gnu.org)
87twfr2gui.fsf@gnu.org
Vincent Legoll <vincent.legoll@gmail.com> skribis:

Toggle quote (9 lines)
>> Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d.
>>
>> The ‘shell’ field was omitted from the definition of “nobody”, which is
>> why it ended up using Bash, which is the default shell.
>
> Thanks the fix looks good, but I tried with guix system reconfigure
> after guix pull
> That does not change /etc/passwd

It does change /etc/passwd (specifically, this is done in ‘modify-user’
in activation.scm, which is itself run from the activation script of the
new system that ‘guix system reconfigure’ runs; note that this changes
the shell but leaves the home directory unchanged, see the comment in
there.)

Could it be that you did not run ‘guix pull’ as root? Remember that
‘guix pull’ is per-user:


HTH,
Ludo’.
Closed
V
V
Vincent Legoll wrote on 23 Jul 2016 08:48
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 23971-done@debbugs.gnu.org)
CAEwRq=odBtMMCU0WNnkvRLzAh9a_8j7vAExCetvaZv6ZEgAP1w@mail.gmail.com
On Fri, Jul 15, 2016 at 3:03 PM, Ludovic Courtès <ludo@gnu.org> wrote:
Toggle quote (20 lines)
> Vincent Legoll <vincent.legoll@gmail.com> skribis:
>
>>> Indeed, fixed in 2d94702ff4133606cda1e51a2c8378a8e79afb9d.
>>>
>>> The ‘shell’ field was omitted from the definition of “nobody”, which is
>>> why it ended up using Bash, which is the default shell.
>>
>> Thanks the fix looks good, but I tried with guix system reconfigure
>> after guix pull
>> That does not change /etc/passwd
>
> It does change /etc/passwd (specifically, this is done in ‘modify-user’
> in activation.scm, which is itself run from the activation script of the
> new system that ‘guix system reconfigure’ runs; note that this changes
> the shell but leaves the home directory unchanged, see the comment in
> there.)
>
> Could it be that you did not run ‘guix pull’ as root? Remember that
> ‘guix pull’ is per-user:

Yep, that was probably the case.

I tested in a new VM (from scratch) 0.10.0 usb install
- initially: /var/empy + bash
- guix pull + reconfigure : usermod: change shell to nologin, but home
dir stayed the same
- delete user nobody + guix system reconfigure: user nobody is back,
with /nonexistent home dir

So this looks like it is fixed, and next usb install should be good
from 1st day...

--
Vincent Legoll
Closed
?