Shell skeletons not working as expected

  • Open
  • quality assurance status badge
Details
3 participants
  • Alexandru-Sergiu Marton
  • Efraim Flashner
  • Leo Famulari
Owner
unassigned
Submitted by
Alexandru-Sergiu Marton
Severity
normal
A
A
Alexandru-Sergiu Marton wrote on 11 Apr 2020 12:10
zsh: sudo is not setuid
(address . bug-guix@gnu.org)
C1YAP1W11L61.2VVVOWHR0N902@121408
Hi,

I changed my default shell to zsh with the following line added to
my user-account record in my config.scm:

(shell #~(string-append #$zsh "/bin/zsh"))

After reconfiguring the system and rebooting, when I try to run sudo or
su (I guess this problem appears for every thing in %setuid-programs), I
get a message saying it isn't actually a setuid program.

I'm writing this from a reconfigured system started at the same point as
the zsh one started, but with bash. Here I don't have that problem --
setuid programs work as expected.

Steps to reproduce:
- $ guix pull
- Change the default shell to zsh in your config.scm, as presented
above.
- $ sudo guix system reconfigure config.scm
- Reboot.
- Try to run sudo or su. It should give you an error.

Cheers,
Sergiu
E
E
Efraim Flashner wrote on 11 Apr 2020 21:38
(name . Alexandru-Sergiu Marton)(address . brown121407@member.fsf.org)(address . 40550@debbugs.gnu.org)
20200411193821.GB2191@E5400
On Sat, Apr 11, 2020 at 01:10:17PM +0300, Alexandru-Sergiu Marton wrote:
Toggle quote (23 lines)
> Hi,
>
> I changed my default shell to zsh with the following line added to
> my user-account record in my config.scm:
>
> (shell #~(string-append #$zsh "/bin/zsh"))
>
> After reconfiguring the system and rebooting, when I try to run sudo or
> su (I guess this problem appears for every thing in %setuid-programs), I
> get a message saying it isn't actually a setuid program.
>
> I'm writing this from a reconfigured system started at the same point as
> the zsh one started, but with bash. Here I don't have that problem --
> setuid programs work as expected.
>
> Steps to reproduce:
> - $ guix pull
> - Change the default shell to zsh in your config.scm, as presented
> above.
> - $ sudo guix system reconfigure config.scm
> - Reboot.
> - Try to run sudo or su. It should give you an error.

Do you have sudo installed in a profile? /run/setuid-programs/sudo
should be the first 'sudo' in your PATH regardless of the shell. What's
the contents of your $PATH?

(ins)efraim@E5400 ~$ which -a sudo
/run/setuid-programs/sudo
/run/current-system/profile/bin/sudo
(ins)efraim@E5400 ~$ guix environment --ad-hoc zsh
substitute: updating substitutes from 'http://192.168.1.183:3000'... 100.0%
substitute: updating substitutes from 'http://192.168.1.217:3000'... 100.0%
substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0%
substitute: updating substitutes from 'https://bayfront.guix.gnu.org'... 100.0%
The following derivation will be built:
/gnu/store/yfqfk66vl1s6av45a92ml5l60d2kaxyk-profile.drv
2.1 MB will be downloaded:
/gnu/store/icyx0ynnaaradzzxfqyjrwy0x545zdn5-zsh-5.8
The following profile hooks will be built:
/gnu/store/8kim2ay78nrlgpdks734hridk21waxhc-fonts-dir.drv
/gnu/store/fxdkr919viih72p9s2zkiadgj7r182d1-info-dir.drv
/gnu/store/ml3s254v7zf4dmwmfpc59clr0xgllsbn-ca-certificate-bundle.drv
/gnu/store/rvd1xybadpnzwlm1qz7iqcsky1dj2myw-manual-database.drv
zsh-5.8 2.0MiB 1.6MiB/s 00:01 [##################] 100.0%

building CA certificate bundle...
building fonts directory...
building directory of Info manuals...
building database for manual pages...
building profile with 1 package...
(ins)efraim@E5400 ~ [env]$ zsh
E5400% which -a sudo
/run/setuid-programs/sudo
/run/current-system/profile/bin/sudo


--
Efraim Flashner <efraim@flashner.co.il> ????? ?????
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAl6SHK0ACgkQQarn3Mo9
g1G4zA/7BnUaWzvkUMiPOCoyHuFtPB79I1GM/7f2nYN7+g5sEtjtCoFLfav0SS3X
p1pGDFEjKPKsVwYwVQTuqacBp1nkkLNhhqIpHrJFfCMLVhGJHYoiTtYMrr6wYAug
SWHsR2BEl3CqIcobEs3daq4O2p7BFfIBUMKs2OSMsQVBLTavG7WsP9rei2GsbZU9
kfd28rv4P7sDg2orR7lRijh8tsoOAwbZx+7mO46y94yycEs2IzbT8EsbQSU2Jejb
MUz12GVYdigoloKPVW05ZTBPII+kuAuqwlHVKFEu2G0RRuOoi3TqcA0+u+fo3i1s
FbO2E5gnh5yQ39A/AdgXUeYEHXfTBKBYMFy+a8QdCCQQXtor2GrU3L0C76ofikJt
e9o62wUrg+gxpkUWpbdUa4Rx8F3mSpGdsF8hGAjf3HMNpDTtJMCNCqGxby3pqvcK
FHEIto8TiMrA3OodDYjFIR/BHi6eMTs5rCtHMpQYD6JRN6HFEpJavKI9Jc8aqnvh
azMFHRPfmxbeoz+7RcD2oGyCau5m6/2dpU69zp3Q9nmz6QN1raxbMUmxbhuhaz2P
P5N7yesKmvQJ/ArJtVYcZaidMqCaZuut4sbLYC+lAKgCTQAYKd1b8U7SKYgcoCo6
6Dk6ANAmqNsFdnYsEcdvym9KtvgP5TUtYLYOjtBOeD6sUPe0GKw=
=2bTK
-----END PGP SIGNATURE-----


A
A
Alexandru-Sergiu Marton wrote on 13 Apr 2020 06:46
(address . 40550@debbugs.gnu.org)
C1ZT2LM0ATS0.3LWS5KNCFSPWV@121408
On Sun Apr 12, 2020 at 1:38 AM PST, Efraim Flashner wrote:
Toggle quote (4 lines)
> Do you have sudo installed in a profile? /run/setuid-programs/sudo
> should be the first 'sudo' in your PATH regardless of the shell. What's
> the contents of your $PATH?

This is my $PATH in zsh:
/home/brown/bin:/home/brown/.local/bin:/home/brown/.guix-profile/bin:/home/brown/.guix-profile/sbin:/run/current-system/profile/bin

Toggle quote (4 lines)
> (ins)efraim@E5400 ~$ which -a sudo
> /run/setuid-programs/sudo
> /run/current-system/profile/bin/sudo

$ which -a sudo
/run/current-system/profile/bin/sudo

BUT!

$ ls /run/setuid-programs/
dbus-daemon-launch-helper newuidmap pkexec sudoedit
fusermount passwd polkit-agent-helper-1 umount
mount ping su
newgidmap ping6 sudo

So it looks like it's a problem with my PATH. While in bash I don't
append /run/setuid-programs to it manually, yet bash recognizes the
setuid programs. I'll probably add /run/setuid-programs by hand but I'm
wondering why doesn't it work by default.

Thanks,
Sergiu
A
A
Alexandru-Sergiu Marton wrote on 13 Apr 2020 07:01
(address . 40550@debbugs.gnu.org)
C1ZTDG94A66R.2JBWC49HEZ1NI@121408
Just a few more details. If I boot into a system config with bash as the
default shell, this is my $PATH:

/home/brown/.guix-profile/bin:/home/brown/.guix-profile/sbin:/home/brown/bin:/home/brown/.local/bin:/home/brown/.guix-profile/bin:/home/brown/.guix-profile/sbin:/run/setuid-programs:/home/brown/.config/guix/current/bin:/home/brown/.guix-profile/bin:/home/brown/.guix-profile/sbin:/run/current-system/profile/bin:/run/current-system/profile/sbin

If I get zsh through an environment, my PATH still has
/run/setuid-programs in it.

[brown@121408 ~]$ guix environment --ad-hoc zsh
[brown@121408 ~][env]$ zsh
[brown@121408 ~]$ echo $PATH
/home/brown/.guix-profile/bin:/home/brown/.guix-profile/sbin:/gnu/store/anb9bk6qbwhblfr6fqcv6iiq8scyng1i-profile/bin:/home/brown/.guix-profile/bin:/home/brown/.guix-profile/sbin:/home/brown/bin:/home/brown/.local/bin:/home/brown/.guix-profile/bin:/home/brown/.guix-profile/sbin:/run/setuid-programs:/home/brown/.config/guix/current/bin:/home/brown/.guix-profile/bin:/home/brown/.guix-profile/sbin:/run/current-system/profile/bin:/run/current-system/profile/sbin
[brown@121408 ~]$ which -a sudo
/run/setuid-programs/sudo
/run/current-system/profile/bin/sudo

So my problem happens only when setting zsh as an account's default
shell.
L
L
Leo Famulari wrote on 13 Apr 2020 19:55
(name . Alexandru-Sergiu Marton)(address . brown121407@posteo.ro)
20200413175555.GB23262@jasmine.lan
On Mon, Apr 13, 2020 at 07:46:58AM +0300, Alexandru-Sergiu Marton wrote:
Toggle quote (8 lines)
> On Sun Apr 12, 2020 at 1:38 AM PST, Efraim Flashner wrote:
> > Do you have sudo installed in a profile? /run/setuid-programs/sudo
> > should be the first 'sudo' in your PATH regardless of the shell. What's
> > the contents of your $PATH?
>
> This is my $PATH in zsh:
> /home/brown/bin:/home/brown/.local/bin:/home/brown/.guix-profile/bin:/home/brown/.guix-profile/sbin:/run/current-system/profile/bin

Setting up Zsh should definitely work when creating a new user's home
directory, but maybe it doesn't do the right thing when changing a
user's shell after the home directory has already been created. We
should look into that.

Please copy the contents of '/etc/skel/.zprofile' to your zprofile file
and check for the /run/setuid-programs in your $PATH after logging in
again with `zsh --login`.
L
L
Leo Famulari wrote on 13 Apr 2020 19:56
(no subject)
(address . control@debbugs.gnu.org)
20200413175647.GA24060@jasmine.lan
retitle 40550 "Shell skeletons not working as expected"
L
L
Leo Famulari wrote on 13 Apr 2020 20:02
(address . control@debbugs.gnu.org)
20200413180202.GA24258@jasmine.lan
retitle 40550 Shell skeletons not working as expected
L
L
Leo Famulari wrote on 13 Apr 2020 21:14
Re: bug#40550: zsh: sudo is not setuid
(name . Alexandru-Sergiu Marton)(address . brown121407@posteo.ro)
20200413191440.GA26537@jasmine.lan
On Mon, Apr 13, 2020 at 01:55:55PM -0400, Leo Famulari wrote:
Toggle quote (5 lines)
> Setting up Zsh should definitely work when creating a new user's home
> directory, but maybe it doesn't do the right thing when changing a
> user's shell after the home directory has already been created. We
> should look into that.

I tested it, and if the file ~/.zprofile already exists when Guix tries
to set up its own ~/.zprofile, then nothing is done. Maybe you already
had a ~/.zprofile?
A
A
Alexandru-Sergiu Marton wrote on 17 Apr 2020 07:45
(name . Leo Famulari)(address . leo@famulari.name)
C238TKZEIRYT.25HX384KWMDCT@121407
On Mon Apr 13, 2020 at 6:14 PM PST, Leo Famulari wrote:
Toggle quote (4 lines)
> I tested it, and if the file ~/.zprofile already exists when Guix tries
> to set up its own ~/.zprofile, then nothing is done. Maybe you already
> had a ~/.zprofile?

Yes. That should be the problem then. It is confusing though, because I
didn't think for a second that might affect it. How is this set up on
bash? It doesn't look like there is any place where /run/setuid-programs
is appended to PATH in any of my bash files.
A
A
Alexandru-Sergiu Marton wrote on 17 Apr 2020 09:58
(name . Leo Famulari)(address . leo@famulari.name)
C23BNP8A19OU.1KWB0XPZT3FOT@121408
On Mon Apr 13, 2020 at 6:14 PM PST, Leo Famulari wrote:
Toggle quote (4 lines)
> I tested it, and if the file ~/.zprofile already exists when Guix tries
> to set up its own ~/.zprofile, then nothing is done. Maybe you already
> had a ~/.zprofile?

What does "when Guix tries to set up its own ~/.zprofile" exactly mean?
When should that happen? I tried reconfiguring my system to use zsh and
I deleted my ~/.zprofile prior to that, but after the reconfiguration
there was no new ~/.zprofile created in my home dir.

Currently I append /run/setuid-programs manually to my PATH to get
around this issue.
E
E
Efraim Flashner wrote on 17 Apr 2020 16:44
(name . Alexandru-Sergiu Marton)(address . brown121407@posteo.ro)
20200417144452.GA9867@E5400
On Fri, Apr 17, 2020 at 10:58:52AM +0300, Alexandru-Sergiu Marton wrote:
Toggle quote (10 lines)
> On Mon Apr 13, 2020 at 6:14 PM PST, Leo Famulari wrote:
> > I tested it, and if the file ~/.zprofile already exists when Guix tries
> > to set up its own ~/.zprofile, then nothing is done. Maybe you already
> > had a ~/.zprofile?
>
> What does "when Guix tries to set up its own ~/.zprofile" exactly mean?
> When should that happen? I tried reconfiguring my system to use zsh and
> I deleted my ~/.zprofile prior to that, but after the reconfiguration
> there was no new ~/.zprofile created in my home dir.

I believe it would only insert a new .zprofile when a new user is
created. zprofile is in (gnu system shadow) and currently it only
sources /etc/profile.

Toggle quote (4 lines)
>
> Currently I append /run/setuid-programs manually to my PATH to get
> around this issue.

--
Efraim Flashner <efraim@flashner.co.il> ????? ?????
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAl6ZwOQACgkQQarn3Mo9
g1GC1g/+MTUXbdzSkMxH7vSJE9kGMNpIar/9vzsoIZozzljg17InFlD2AJKEnC6c
XlrJj4HUEiYDWzx61kfBxgjvHNY8h/mMD+OX6CrsAE+671DLd8+/OVwl7wpr98e2
CdLRY38xI3b1krGEz5HyuDV4LkL/bO6agT8wv3rMGtVaN74a/zsZdpUp8MFMu6DT
gFqtNJE41byxIfhZzpQCkT7587t6FJ+xDA1rEk1T11LX64o0iXGn0QoeeqNH+J3Y
0+jm0SMnnP2WWZIrJRYFneWxe4l7vINgGMEgXdCAXSc+mn05qldLCuWZiO7gTUd9
hPlnBnUpUFTVURkJPz6XzDxoShExlnhCO41f/S2PYF2LdMXUUhBVdkoL1i+drPzS
P3QmHfHhOQQ646lyCjZokoDJO6wzd56UBX4P+m1J8gr8VkXa/c9gNf1AZQGG6ZNY
ihOZ65kljkfSn4bzoGt9i1ZHRR3rPJOxqwzHCCatQrWxCN72cs5nfCNyQVYX7wFt
Q6KSPrU5Xjkfog8uKPP3w9sfsMom1rIUrOyAzsx6/q4JVJzUYqMfP/imehQ4f0Fz
mm6XYaJVymi79HWqLf6EAVyetigPgjAUZrYUthaID5+wuUbciYjXQE72UkFpzg0W
EKLeUBujeByHNlPoxkpRLoBccyRmDhsjaQ7AJG89NDQSDv/yzKA=
=gb6I
-----END PGP SIGNATURE-----


?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 40550@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 40550
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch