guix shell --container --share=/etc overrides shadow files

  • Open
  • quality assurance status badge
Details
One participant
  • Christina O'Donnell
Owner
unassigned
Submitted by
Christina O'Donnell
Severity
normal
C
C
Christina O'Donnell wrote on 11 Jan 15:10 +0100
(address . bug-guix@gnu.org)
c4025879-58b3-7524-6e8e-0749059ac086@mutix.org
Hi Guix,

Running the below command as root overrides the running system's shadow
files
(/etc/shadow, /etc/passwd, and /etc/group).

WARNING: Don't run the following outside of a VM!

  guix shell --container --share=/etc

This erases the current user from the passwd database, meaning `su` and
`sudo`
no longer work, and you can't log in.

Discussion

The context is that I was tracking down a libreoffice bug using guix
time-machine and ran the very clever command trying to get the display
working.

  sudo guix time-machine ... -- environment -C --ad-hoc coreutils sway \
    --preserve='DISPLAY' --preserve='XDG' --share=/etc -- sway

Now of course if you write random commands with sudo, you should expect
to brick
your system from time to time. And setting `--share=/etc` wasn't
particularly
smart idea. However, it would have been nice to not have that wipe my
shadow files.

For example, being warned about sharing /etc with a container.

To reproduce, run the Guix command in a basic VM image, connecting to Guix
daemon on the host.[1]

Please let me know if you have any questions!

Kind regards,
 - Christina O'Donnell


---

[1] See my blog for more details:
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 68387@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 68387
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch