* [RFC] /etc/shells management (fish, mksh, posh, tcsh, zsh) [not found] ` <cf899cc5-4267-3f59-478e-b7ba5361e2eb@cygwin.com> @ 2016-05-12 21:36 ` Yaakov Selkowitz 2016-05-12 21:44 ` Warren Young 2016-05-13 10:29 ` Andrew Schulman 0 siblings, 2 replies; 4+ messages in thread From: Yaakov Selkowitz @ 2016-05-12 21:36 UTC (permalink / raw) To: cygwin-apps [-- Attachment #1: Type: text/plain, Size: 2256 bytes --] On 2016-05-11 14:06, Yaakov Selkowitz wrote: > On 2016-05-11 12:09, Andrew Schulman wrote: >>> Am 10.05.2016 um 20:19 schrieb Andrew Schulman: >>>> Achim, can you please add /bin/fish and /usr/bin/fish to /etc/shells in >>>> base-files? >>> >>> I seem to remember that this was discussed before. If you could perhaps >>> look up that discussion and fill me in what the conclusion was last time >>> around? >> >> Hm, you're right, it was discussed before: >> >> https://www.cygwin.com/ml/cygwin/2014-02/msg00696.html >> >> I don't know if there was consensus, but the last word there from CGF was >> that shell packages should run a postinstall step to add themselves to >> /etc/shells. > > While I'm always ready to reconsider previous decisions, this is how it > appears to be handled in Linux distros. The implication thereof is that > (once all packages have been adapted) the default /etc/shells should > only contain those shells available by default (namely, sh, bash, and > /sbin/nologin), e.g.: > > https://git.fedorahosted.org/cgit/setup.git/tree/shells > > (except that /sbin != /usr/sbin on Cygwin.) AFAICS this should be a two-step process. 1) base-files' default /etc/shells should contain only the shells in a Base install, namely: /bin/sh /bin/ash /bin/bash /bin/dash /usr/bin/sh /usr/bin/ash /usr/bin/bash /usr/bin/dash /sbin/nologin 2) Then all non-Base shells, namely: fish Andrew Schulman mksh Chris Sutcliffe posh Jari Aalto tcsh Corinna Vinschen zsh Peter A. Castro will bump release adding an update_etc_shells call, per the attached patch, with the path of their shell(s). >> That seems reasonable. There are questions about the right way to do it, >> but I'll ask those in a separate thread. > > Probably best if we have a cygport function for creating the necessary > postinstall and preremove commands. Attached. Any questions or comments before I make this official? Or, is this just not worth the trouble? What are the consequences of having shells listed in /etc/shells which aren't on the system? -- Yaakov [-- Attachment #2: 0002-Add-update_etc_shells-for-etc-shells-management.patch --] [-- Type: text/plain, Size: 2608 bytes --] From 68d32dfee3ed2b0b8c1f356ef794846f086d3583 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz <yselkowi@redhat.com> Date: Thu, 12 May 2016 16:14:33 -0500 Subject: [PATCH] Add update_etc_shells for /etc/shells management See https://cygwin.com/ml/cygwin/2016-05/msg00135.html --- lib/src_install.cygpart | 56 ++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 55 insertions(+), 1 deletion(-) diff --git a/lib/src_install.cygpart b/lib/src_install.cygpart index 1fe8176..41adcb3 100644 --- a/lib/src_install.cygpart +++ b/lib/src_install.cygpart @@ -877,6 +877,60 @@ make_etc_defaults() { done } +#****I* Installing/update_etc_shells +# SYNOPSIS +# update_etc_shells PATH_TO_SHELL [PATH_TO_SHELL] ... +# DESCRIPTION +# Indicates that the given fully-qualified path(s) are shells which should be +# listed in /etc/shells. update_etc_shells creates a postinstall script to +# add this listing if it doesn't already exist, and a preremove script which +# removes it when uninstalling. +# NOTES +# * Only one of the /bin or /usr/bin paths should be specified for any given +# shell; the other will be added automatically. +# * Generic aliases should be listed as well, e.g. tcsh would use +# update_etc_shells /bin/tcsh /bin/csh +# * Shells which are part of the Base install (namely, bash/sh and dash/ash) +# should not use this function, as they are already included in the default +# /etc/shells. +#**** +update_etc_shells() { + local alt sh + + for sh in ${@} + do + case ${sh} in + /bin/*) alt=/usr${sh} ;; + /usr/bin/*) alt=${sh#/usr} ;; + *) alt= ;; + esac + + if [ ! -e ${D}${sh} ] && [ ! -e ${D}${alt:-${sh}} ] + then + error "shell ${sh} does not exist" + fi + + dodir /etc/postinstall + cat >> ${D}/etc/postinstall/${PN}.sh <<-_EOF + if [ ! -f /etc/shells ] || ! grep -q "^${sh}$" /etc/shells + then + echo -e "${sh}${alt:+\n}${alt}" >> /etc/shells + fi + + _EOF + + dodir /etc/preremove + cat >> ${D}/etc/preremove/${PN}.sh <<-_EOF + if [ -f /etc/shells ] + then + sed -i -e '\|^${sh}$|d' /etc/shells + ${alt:+sed -i -e '\|^${alt}$|d' /etc/shells} + fi + + _EOF + done +} + __prepinstalldirs() { rm -fr ${D}/*; } @@ -950,4 +1004,4 @@ readonly -f __doinstall __fix_shebang \ exeinto doexe newexe insinto doins newins doicon newicon \ dolib doman newman domenu newmenu dosbin newsbin dosym \ make_autostart_entry make_desktop_entry make_etc_defaults \ - __prepinstalldirs cyginstall + update_etc_shells __prepinstalldirs cyginstall -- 2.8.0 ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [RFC] /etc/shells management (fish, mksh, posh, tcsh, zsh) 2016-05-12 21:36 ` [RFC] /etc/shells management (fish, mksh, posh, tcsh, zsh) Yaakov Selkowitz @ 2016-05-12 21:44 ` Warren Young 2016-05-13 10:29 ` Andrew Schulman 1 sibling, 0 replies; 4+ messages in thread From: Warren Young @ 2016-05-12 21:44 UTC (permalink / raw) To: cygwin-apps On May 12, 2016, at 3:36 PM, Yaakov Selkowitz <yselkowitz@cygwin.com> wrote: > > What are the consequences of having shells listed in /etc/shells which aren't on the system? That file is a security feature, but the typical way Cygwin works — i.e. that normal users are allowed to install software, modify /etc/*, and so forth — nullifies its value. But, if you do somehow lock down /etc/shells so that normal users can’t write to it, you’re also presumably locking down /bin, so a malicious user couldn’t drop in a bogus /bin/fish file and convince other software to run it as a shell. Too bad there is no /etc/shells.d. Then non-Base shells could just add themselves there. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [RFC] /etc/shells management (fish, mksh, posh, tcsh, zsh) 2016-05-12 21:36 ` [RFC] /etc/shells management (fish, mksh, posh, tcsh, zsh) Yaakov Selkowitz 2016-05-12 21:44 ` Warren Young @ 2016-05-13 10:29 ` Andrew Schulman 2016-05-13 14:30 ` Chris Sutcliffe 1 sibling, 1 reply; 4+ messages in thread From: Andrew Schulman @ 2016-05-13 10:29 UTC (permalink / raw) To: cygwin-apps > On 2016-05-11 14:06, Yaakov Selkowitz wrote: > > On 2016-05-11 12:09, Andrew Schulman wrote: > >>> Am 10.05.2016 um 20:19 schrieb Andrew Schulman: > >>>> Achim, can you please add /bin/fish and /usr/bin/fish to /etc/shells in > >>>> base-files? > >>> > AFAICS this should be a two-step process. > > 1) base-files' default /etc/shells should contain only the shells in a > Base install, namely: > > /bin/sh > /bin/ash > /bin/bash > /bin/dash > /usr/bin/sh > /usr/bin/ash > /usr/bin/bash > /usr/bin/dash > /sbin/nologin Yep. > 2) Then all non-Base shells, namely: > > fish Andrew Schulman > mksh Chris Sutcliffe > posh Jari Aalto > tcsh Corinna Vinschen > zsh Peter A. Castro > > will bump release adding an update_etc_shells call, per the attached > patch, with the path of their shell(s). Agreed. > Attached. Any questions or comments before I make this official? This looks right, except that it edits /etc/shells directly. So if a person edits /etc/shells to remove, say, fish, and fish gets updated, as written this patch will add fish back in. (Why they'd install fish but not want it in /etc/shells I don't know, but it's possible.) Better is to add the new shell to /etc/default/etc/shells, then copy that file over /etc/shells if that file had not been previously edited. > Or, is this just not worth the trouble? What are the consequences of > having shells listed in /etc/shells which aren't on the system? /etc/shells doesn't seem to be very important in Cygwin. And it includes one shell now (pdksh) that doesn't exist in Cygwin, and it's not hurting anything. But it's not a lot of work to do it right, and I think we should. Andrew ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [RFC] /etc/shells management (fish, mksh, posh, tcsh, zsh) 2016-05-13 10:29 ` Andrew Schulman @ 2016-05-13 14:30 ` Chris Sutcliffe 0 siblings, 0 replies; 4+ messages in thread From: Chris Sutcliffe @ 2016-05-13 14:30 UTC (permalink / raw) To: Cygwin-apps On 13 May 2016 at 06:29, Andrew Schulman wrote: >> On 2016-05-11 14:06, Yaakov Selkowitz wrote: >> > On 2016-05-11 12:09, Andrew Schulman wrote: >> >>> Am 10.05.2016 um 20:19 schrieb Andrew Schulman: >> >>>> Achim, can you please add /bin/fish and /usr/bin/fish to /etc/shells in >> >>>> base-files? >> >>> >> AFAICS this should be a two-step process. >> >> 1) base-files' default /etc/shells should contain only the shells in a >> Base install, namely: >> >> /bin/sh >> /bin/ash >> /bin/bash >> /bin/dash >> /usr/bin/sh >> /usr/bin/ash >> /usr/bin/bash >> /usr/bin/dash >> /sbin/nologin > > Yep. > >> 2) Then all non-Base shells, namely: >> >> fish Andrew Schulman >> mksh Chris Sutcliffe >> posh Jari Aalto >> tcsh Corinna Vinschen >> zsh Peter A. Castro >> >> will bump release adding an update_etc_shells call, per the attached >> patch, with the path of their shell(s). > > Agreed. I'm fine with this approach as well. Thanks, Chris -- Chris Sutcliffe ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-05-13 14:30 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <pe94jbtrjf32qn2u0mbtrful36o1trjguj@4ax.com> [not found] ` <ngvnm4$tms$1@ger.gmane.org> [not found] ` <lro6jbph7mumea7qcf0jbdnut23kujk3i4@4ax.com> [not found] ` <cf899cc5-4267-3f59-478e-b7ba5361e2eb@cygwin.com> 2016-05-12 21:36 ` [RFC] /etc/shells management (fish, mksh, posh, tcsh, zsh) Yaakov Selkowitz 2016-05-12 21:44 ` Warren Young 2016-05-13 10:29 ` Andrew Schulman 2016-05-13 14:30 ` Chris Sutcliffe
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).