Skip to content
This repository has been archived by the owner. It is now read-only.

/usr/bin/toolbox should be added to /etc/shells #1523

Closed
rothgar opened this issue Aug 16, 2016 · 3 comments
Closed

/usr/bin/toolbox should be added to /etc/shells #1523

rothgar opened this issue Aug 16, 2016 · 3 comments

Comments

@rothgar
Copy link

@rothgar rothgar commented Aug 16, 2016

Issue Report

Bug

CoreOS Version

$ cat /etc/os-release
NAME=CoreOS
ID=coreos
VERSION=1122.0.0
VERSION_ID=1122.0.0
BUILD_ID=2016-07-27-0739
PRETTY_NAME="CoreOS 1122.0.0 (MoreOS)
BUG_REPORT_URL="https://github.com/coreos/bugs/issues"

Environment

What hardware/cloud provider/hypervisor is being used to run CoreOS? Any

Expected Behavior

I should be able to change the core user shell with chsh -s /usr/bin/toolbox

Actual Behavior

I get the error
chsh: /usr/bin/toolbox is an invalid shell

Reproduction Steps

  1. run chsh -s /usr/bin/toolbox

Other Information

You can set the shell by manually editing /etc/passwd but that's not ideal because it's harder to script or include in ignition.

Feature Request

Please add /usr/bin/toolbox to /etc/shells

@marineam
Copy link

@marineam marineam commented Aug 24, 2016

I don't think such an odd/complicated script like toolbox should be allowed by unprivileged chsh and in /etc/shells by default. Instead of chsh privilaged usermod should work though: sudo usermod -s /bin/bash $USER

But there is still the issue of /etc/shells, there is a PAM check for that too. This has come up before and I thought we had removed auth required pam_shells.so from our configuration but looks like it is still there. Personally I don't think using /etc/shells to block login makes any sense, only for restricting the behavior of unprivileged chsh. So until we update PAM I guess adding toolbox to /etc/shells on your system is still needed.

@rothgar
Copy link
Author

@rothgar rothgar commented Aug 24, 2016

My original problem was I wanted to do this in ignition with the core user but according to the spec it only works with new users. I imagine it works with cloud-config but haven't tested it.

Running a command interactively is obviously less than ideal when the cluster provisions itself fully otherwise. Although after using it on a few systems as the default shell I'm not sure I like not having a way to escape the toolbox and get back to a bash prompt on the host.

I'm still undecided if I like it, but I do think it should be an option. Whether that's via /etc/shells or PAM doesn't matter to me.

@dm0- dm0- self-assigned this Sep 6, 2016
@dm0-
Copy link

@dm0- dm0- commented Sep 6, 2016

We have removed the PAM module that was blocking logins with user shells not listed in /etc/shells.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

4 participants
You can’t perform that action at this time.