[Pkg-shadow-devel] Bug#924505: bash: set shell to /bin/sh on removal
Dmitry Bogatov
KAction at disroot.org
Mon Sep 2 20:14:44 BST 2019
[2019-09-01 07:38] Niels Thykier <niels at thykier.net>
> > > [2019-03-13 17:17] Dmitry Bogatov <KAction at debian.org>
> > > > Package: bash
> > > > Version: 5.0-2
> > > > Severity: wishlist
> > > >
> > > > Dear Maintainer,
> > > >
> > > > To contribute to efford of of making bash non-essential, I propose
> > > > following patch, that should resolve issue with login #620898 (in CC).
> > > > [...]
>
> Hi Dmitry,
>
> It is my belief that the change would be a severe regression when
> applied to deconfigure and I request that you cancel/update your NMU to
> avoid breaking system configuration during upgrades.
>
> (Note: I am not commenting on the entire change - only the deconfigure
> part).
> [...]
Niels, thank you for warning. I canceled upload. I considered another
version of this patch (on bottom), but it have same flaw --
remove-install cycle is supposed to preserve configuration.
Bringing back into thread #620898.
Dear maintainer of `login`, idea of changing /etc/passwd in bash
maintainer script failed. As previously discussed, spawning /bin/sh when
user's shell not found is security hole, but what about patch that
checks specifically for this case:
* if user=root
* if shell=/bin/bash
* if /bin/bash is missing
* then spawn(/bin/sh) // instead of "file not found" error.
What do you think? Will you apply such patch?
From ae1c74362a5d005766f40b6e19cdbf1621fd197c Mon Sep 17 00:00:00 2001
From: Dmitry Bogatov <KAction at debian.org>
Date: Sun, 1 Sep 2019 14:03:55 +0000
Subject: [PATCH] Change shells of users from /bin/bash to /bin/sh on removal
Closes: #924505
---
debian/bash.prerm | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/debian/bash.prerm b/debian/bash.prerm
index 52052a2..a54a2da 100644
--- a/debian/bash.prerm
+++ b/debian/bash.prerm
@@ -8,7 +8,14 @@ case "$1" in
/usr/share/man/man7/bash-builtins.7.gz
;;
- remove|deconfigure)
+ deconfigure)
+ ;;
+
+ remove|purge)
+ remove-shell /bin/bash
+ for user in $(awk -F: '$7 == "/bin/bash" { print $1 }' /etc/passwd) ; do
+ usermod -s /bin/sh "${user}"
+ done
;;
failed-upgrade)
--
Note, that I send and fetch email in batch, once in a few days.
Please, mention in body of your reply when you add or remove recepients.
More information about the Pkg-shadow-devel
mailing list