Shell skeletons not working as expected

Open

Details

3 participants

Alexandru-Sergiu Marton
Efraim Flashner
Leo Famulari

Owner: unassigned

Submitted by: Alexandru-Sergiu Marton

Severity: normal

Alexandru-Sergiu Marton wrote on 11 Apr 2020 12:10

zsh: sudo is not setuid

Recipients:(address . bug-guix@gnu.org)

Message-ID:C1YAP1W11L61.2VVVOWHR0N902@121408

Hi,

I changed my default shell to zsh with the following line added to

my user-account record in my config.scm:

(shell #~(string-append #$zsh "/bin/zsh"))

After reconfiguring the system and rebooting, when I try to run sudo or

su (I guess this problem appears for every thing in %setuid-programs), I

get a message saying it isn't actually a setuid program.

I'm writing this from a reconfigured system started at the same point as

the zsh one started, but with bash. Here I don't have that problem --

setuid programs work as expected.

Steps to reproduce:

- $ guix pull

- Change the default shell to zsh in your config.scm, as presented

above.

- $ sudo guix system reconfigure config.scm

- Reboot.

- Try to run sudo or su. It should give you an error.

Cheers,

Sergiu

Efraim Flashner wrote on 11 Apr 2020 21:38

Recipients:(name . Alexandru-Sergiu Marton)(address . brown121407@member.fsf.org)(address . 40550@debbugs.gnu.org)

Message-ID:20200411193821.GB2191@E5400

On Sat, Apr 11, 2020 at 01:10:17PM +0300, Alexandru-Sergiu Marton wrote:

Toggle quote (23 lines)> Hi,
> 
> I changed my default shell to zsh with the following line added to
> my user-account record in my config.scm:
> 
> (shell #~(string-append #$zsh "/bin/zsh"))
> 
> After reconfiguring the system and rebooting, when I try to run sudo or
> su (I guess this problem appears for every thing in %setuid-programs), I
> get a message saying it isn't actually a setuid program.
> 
> I'm writing this from a reconfigured system started at the same point as
> the zsh one started, but with bash. Here I don't have that problem --
> setuid programs work as expected.
> 
> Steps to reproduce:
> - $ guix pull
> - Change the default shell to zsh in your config.scm, as presented
>   above.
> - $ sudo guix system reconfigure config.scm
> - Reboot.
> - Try to run sudo or su. It should give you an error.

Do you have sudo installed in a profile? /run/setuid-programs/sudo
should be the first 'sudo' in your PATH regardless of the shell. What's
the contents of your $PATH?

(ins)efraim@E5400 ~$ which -a sudo
/run/setuid-programs/sudo
/run/current-system/profile/bin/sudo
(ins)efraim@E5400 ~$ guix environment --ad-hoc zsh
substitute: updating substitutes from 'http://192.168.1.183:3000'... 100.0%
substitute: updating substitutes from 'http://192.168.1.217:3000'... 100.0%
substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0%
substitute: updating substitutes from 'https://bayfront.guix.gnu.org'... 100.0%
The following derivation will be built:
   /gnu/store/yfqfk66vl1s6av45a92ml5l60d2kaxyk-profile.drv
2.1 MB will be downloaded:
   /gnu/store/icyx0ynnaaradzzxfqyjrwy0x545zdn5-zsh-5.8
The following profile hooks will be built:
   /gnu/store/8kim2ay78nrlgpdks734hridk21waxhc-fonts-dir.drv
   /gnu/store/fxdkr919viih72p9s2zkiadgj7r182d1-info-dir.drv
   /gnu/store/ml3s254v7zf4dmwmfpc59clr0xgllsbn-ca-certificate-bundle.drv
   /gnu/store/rvd1xybadpnzwlm1qz7iqcsky1dj2myw-manual-database.drv
downloading from https://ci.guix.gnu.org/nar/lzip/icyx0ynnaaradzzxfqyjrwy0x545zdn5-zsh-5.8...
 zsh-5.8  2.0MiB                                            1.6MiB/s 00:01 [##################] 100.0%

building CA certificate bundle...
building fonts directory...
building directory of Info manuals...
building database for manual pages...
building profile with 1 package...
(ins)efraim@E5400 ~ [env]$ zsh
E5400% which -a sudo
/run/setuid-programs/sudo
/run/current-system/profile/bin/sudo


-- 
Efraim Flashner   <efraim@flashner.co.il>   ????? ?????
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

Alexandru-Sergiu Marton wrote on 13 Apr 2020 06:46

Recipients:(address . 40550@debbugs.gnu.org)

Message-ID:C1ZT2LM0ATS0.3LWS5KNCFSPWV@121408

On Sun Apr 12, 2020 at 1:38 AM PST, Efraim Flashner wrote:

Toggle quote (4 lines)

> Do you have sudo installed in a profile? /run/setuid-programs/sudo

> should be the first 'sudo' in your PATH regardless of the shell. What's

> the contents of your $PATH?

This is my $PATH in zsh:

/home/brown/bin:/home/brown/.local/bin:/home/brown/.guix-profile/bin:/home/brown/.guix-profile/sbin:/run/current-system/profile/bin

Toggle quote (4 lines)

> (ins)efraim@E5400 ~$ which -a sudo

> /run/setuid-programs/sudo

> /run/current-system/profile/bin/sudo

$ which -a sudo

/run/current-system/profile/bin/sudo

BUT!

$ ls /run/setuid-programs/

dbus-daemon-launch-helper newuidmap pkexec sudoedit

fusermount passwd polkit-agent-helper-1 umount

mount ping su

newgidmap ping6 sudo

So it looks like it's a problem with my PATH. While in bash I don't

append /run/setuid-programs to it manually, yet bash recognizes the

setuid programs. I'll probably add /run/setuid-programs by hand but I'm

wondering why doesn't it work by default.

Thanks,

Sergiu

Alexandru-Sergiu Marton wrote on 13 Apr 2020 07:01

Recipients:(address . 40550@debbugs.gnu.org)

Message-ID:C1ZTDG94A66R.2JBWC49HEZ1NI@121408

Just a few more details. If I boot into a system config with bash as the

default shell, this is my $PATH:

/home/brown/.guix-profile/bin:/home/brown/.guix-profile/sbin:/home/brown/bin:/home/brown/.local/bin:/home/brown/.guix-profile/bin:/home/brown/.guix-profile/sbin:/run/setuid-programs:/home/brown/.config/guix/current/bin:/home/brown/.guix-profile/bin:/home/brown/.guix-profile/sbin:/run/current-system/profile/bin:/run/current-system/profile/sbin

If I get zsh through an environment, my PATH still has

/run/setuid-programs in it.

[brown@121408 ~]$ guix environment --ad-hoc zsh

[brown@121408 ~][env]$ zsh

[brown@121408 ~]$ echo $PATH

/home/brown/.guix-profile/bin:/home/brown/.guix-profile/sbin:/gnu/store/anb9bk6qbwhblfr6fqcv6iiq8scyng1i-profile/bin:/home/brown/.guix-profile/bin:/home/brown/.guix-profile/sbin:/home/brown/bin:/home/brown/.local/bin:/home/brown/.guix-profile/bin:/home/brown/.guix-profile/sbin:/run/setuid-programs:/home/brown/.config/guix/current/bin:/home/brown/.guix-profile/bin:/home/brown/.guix-profile/sbin:/run/current-system/profile/bin:/run/current-system/profile/sbin

[brown@121408 ~]$ which -a sudo

/run/setuid-programs/sudo

/run/current-system/profile/bin/sudo

So my problem happens only when setting zsh as an account's default

shell.

Leo Famulari wrote on 13 Apr 2020 19:55

Recipients:(name . Alexandru-Sergiu Marton)(address . brown121407@posteo.ro)

Message-ID:20200413175555.GB23262@jasmine.lan

On Mon, Apr 13, 2020 at 07:46:58AM +0300, Alexandru-Sergiu Marton wrote:

Toggle quote (8 lines)

> On Sun Apr 12, 2020 at 1:38 AM PST, Efraim Flashner wrote:

> > Do you have sudo installed in a profile? /run/setuid-programs/sudo

> > should be the first 'sudo' in your PATH regardless of the shell. What's

> > the contents of your $PATH?

> This is my $PATH in zsh:

> /home/brown/bin:/home/brown/.local/bin:/home/brown/.guix-profile/bin:/home/brown/.guix-profile/sbin:/run/current-system/profile/bin

Setting up Zsh should definitely work when creating a new user's home
directory, but maybe it doesn't do the right thing when changing a
user's shell after the home directory has already been created. We
should look into that.

Please copy the contents of '/etc/skel/.zprofile' to your zprofile file
and check for the /run/setuid-programs in your $PATH after logging in
again with `zsh --login`.

Leo Famulari wrote on 13 Apr 2020 19:56

(no subject)

Recipients:(address . control@debbugs.gnu.org)

Message-ID:20200413175647.GA24060@jasmine.lan

retitle 40550 "Shell skeletons not working as expected"

Leo Famulari wrote on 13 Apr 2020 20:02

Recipients:(address . control@debbugs.gnu.org)

Message-ID:20200413180202.GA24258@jasmine.lan

retitle 40550 Shell skeletons not working as expected

Leo Famulari wrote on 13 Apr 2020 21:14

Re: bug#40550: zsh: sudo is not setuid

Recipients:(name . Alexandru-Sergiu Marton)(address . brown121407@posteo.ro)

Message-ID:20200413191440.GA26537@jasmine.lan

On Mon, Apr 13, 2020 at 01:55:55PM -0400, Leo Famulari wrote:

Toggle quote (5 lines)

> Setting up Zsh should definitely work when creating a new user's home

> directory, but maybe it doesn't do the right thing when changing a

> user's shell after the home directory has already been created. We

> should look into that.

I tested it, and if the file ~/.zprofile already exists when Guix tries
to set up its own ~/.zprofile, then nothing is done. Maybe you already
had a ~/.zprofile?

Alexandru-Sergiu Marton wrote on 17 Apr 2020 07:45

Recipients:(name . Leo Famulari)(address . leo@famulari.name)

Message-ID:C238TKZEIRYT.25HX384KWMDCT@121407

On Mon Apr 13, 2020 at 6:14 PM PST, Leo Famulari wrote:

Toggle quote (4 lines)

> I tested it, and if the file ~/.zprofile already exists when Guix tries

> to set up its own ~/.zprofile, then nothing is done. Maybe you already

> had a ~/.zprofile?

Yes. That should be the problem then. It is confusing though, because I
didn't think for a second that might affect it. How is this set up on
bash? It doesn't look like there is any place where /run/setuid-programs
is appended to PATH in any of my bash files.

Alexandru-Sergiu Marton wrote on 17 Apr 2020 09:58

Recipients:(name . Leo Famulari)(address . leo@famulari.name)

Message-ID:C23BNP8A19OU.1KWB0XPZT3FOT@121408

On Mon Apr 13, 2020 at 6:14 PM PST, Leo Famulari wrote:

Toggle quote (4 lines)

> I tested it, and if the file ~/.zprofile already exists when Guix tries

> to set up its own ~/.zprofile, then nothing is done. Maybe you already

> had a ~/.zprofile?

What does "when Guix tries to set up its own ~/.zprofile" exactly mean?
When should that happen? I tried reconfiguring my system to use zsh and
I deleted my ~/.zprofile prior to that, but after the reconfiguration
there was no new ~/.zprofile created in my home dir.

Currently I append /run/setuid-programs manually to my PATH to get
around this issue.

Efraim Flashner wrote on 17 Apr 2020 16:44

Recipients:(name . Alexandru-Sergiu Marton)(address . brown121407@posteo.ro)

Message-ID:20200417144452.GA9867@E5400

On Fri, Apr 17, 2020 at 10:58:52AM +0300, Alexandru-Sergiu Marton wrote:

Toggle quote (10 lines)> On Mon Apr 13, 2020 at 6:14 PM PST, Leo Famulari wrote:
> > I tested it, and if the file ~/.zprofile already exists when Guix tries
> > to set up its own ~/.zprofile, then nothing is done. Maybe you already
> > had a ~/.zprofile?
> 
> What does "when Guix tries to set up its own ~/.zprofile" exactly mean?
> When should that happen? I tried reconfiguring my system to use zsh and
> I deleted my ~/.zprofile prior to that, but after the reconfiguration
> there was no new ~/.zprofile created in my home dir.

I believe it would only insert a new .zprofile when a new user is

created. zprofile is in (gnu system shadow) and currently it only

sources /etc/profile.

Toggle quote (4 lines)

> Currently I append /run/setuid-programs manually to my PATH to get

> around this issue.

-- 
Efraim Flashner   <efraim@flashner.co.il>   ????? ?????
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 40550@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 40550

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date