New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

/usr/bin/toolbox should be added to /etc/shells #1523

Closed
rothgar opened this Issue Aug 16, 2016 · 3 comments

Comments

@rothgar

rothgar commented Aug 16, 2016

Issue Report

Bug

CoreOS Version

$ cat /etc/os-release
NAME=CoreOS
ID=coreos
VERSION=1122.0.0
VERSION_ID=1122.0.0
BUILD_ID=2016-07-27-0739
PRETTY_NAME="CoreOS 1122.0.0 (MoreOS)
BUG_REPORT_URL="https://github.com/coreos/bugs/issues"

Environment

What hardware/cloud provider/hypervisor is being used to run CoreOS? Any

Expected Behavior

I should be able to change the core user shell with chsh -s /usr/bin/toolbox

Actual Behavior

I get the error
chsh: /usr/bin/toolbox is an invalid shell

Reproduction Steps

  1. run chsh -s /usr/bin/toolbox

Other Information

You can set the shell by manually editing /etc/passwd but that's not ideal because it's harder to script or include in ignition.

Feature Request

Please add /usr/bin/toolbox to /etc/shells

@marineam

This comment has been minimized.

marineam commented Aug 24, 2016

I don't think such an odd/complicated script like toolbox should be allowed by unprivileged chsh and in /etc/shells by default. Instead of chsh privilaged usermod should work though: sudo usermod -s /bin/bash $USER

But there is still the issue of /etc/shells, there is a PAM check for that too. This has come up before and I thought we had removed auth required pam_shells.so from our configuration but looks like it is still there. Personally I don't think using /etc/shells to block login makes any sense, only for restricting the behavior of unprivileged chsh. So until we update PAM I guess adding toolbox to /etc/shells on your system is still needed.

@rothgar

This comment has been minimized.

rothgar commented Aug 24, 2016

My original problem was I wanted to do this in ignition with the core user but according to the spec it only works with new users. I imagine it works with cloud-config but haven't tested it.

Running a command interactively is obviously less than ideal when the cluster provisions itself fully otherwise. Although after using it on a few systems as the default shell I'm not sure I like not having a way to escape the toolbox and get back to a bash prompt on the host.

I'm still undecided if I like it, but I do think it should be an option. Whether that's via /etc/shells or PAM doesn't matter to me.

@dm0- dm0- self-assigned this Sep 6, 2016

@dm0-

This comment has been minimized.

Member

dm0- commented Sep 6, 2016

We have removed the PAM module that was blocking logins with user shells not listed in /etc/shells.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment