Thorsten Glaser <t...@mirbsd.de> writes: > Dixi quod… >> Russ Allbery dixit:
>>> My guess is that pkexec is calling realpath to canonicalize the path >>> before checking for it in /etc/shells, although I have not confirmed >>> this. >> Now that would be weird and should be fixed… > Another question that probably should be answered first is that why > pkexec (whatever that is) checks against /etc/shells and if that’s > correct. Okay, I have done more research. My speculation that pkexec might use realpath was wrong. It does only check the contents of the SHELL environment variable. See: https://gitlab.freedesktop.org/polkit/polkit/-/blob/master/src/programs/pkexec.c?ref_type=heads#L343 https://gitlab.freedesktop.org/polkit/polkit/-/blob/master/src/programs/pkexec.c?ref_type=heads#L405 It does check whether $SHELL is found in /etc/shells. So your question about what is setting the $SHELL variable is a good one, although I think I would still argue that it's not the most effective way to solve the issue. > I’d be really appreciative if I did not have to add extra nōn-canonical > paths to /etc/shells for bugs in unrelated software. I understand the appeal of that stance, but the problem with it is that there is no enforcement of this definition of canonical. I know that you consider /bin/mksh to be the correct path, but /usr/bin/mksh is also present and works exactly the same. chsh will prevent unprivileged users from changing their shell to the /usr/bin path because of /etc/shells, but not if someone makes that change as root. Also, I'm not sure useradd cares, or possibly other ways of adding a user with a shell (Puppet, for instance). Or, for that matter, just editing /etc/passwd as root, which I admit is how I usually set the shells of users because I've been using UNIX for too long. Having only the /bin paths is fragile because it creates an expectation that every user who sets the shell is going to know that /bin/mksh is the correct path and /usr/bin/mksh is the wrong path and will not use the latter. I'm not sure how they're supposed to receive this information; I don't think it's going to be obvious to everyone who may be involved in setting the shell. We can tell everyone who ends up with /usr/bin/mksh that they need to change it to /bin/mksh, but this seems kind of tedious and annoying, and I'm not seeing the downside to registering both paths. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
