910758 – sys-apps/baselayout - include both /bin/bash and /usr/bin/bash in /etc/shells

Bug 910758 - sys-apps/baselayout - include both /bin/bash and /usr/bin/bash in /etc/shells

Summary: sys-apps/baselayout - include both /bin/bash and /usr/bin/bash in /etc/shells

Status:	CONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal with 1 vote (vote)
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	usrmerge, usrmerge-fixes
	Show dependency tree

Reported:	2023-07-24 01:35 UTC by Rahil Bhimjiani
Modified:	2024-05-07 12:36 UTC (History)
CC List:	5 users (show)

See Also:	https://github.com/shadow-maint/shadow/issues/817 919749
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Rahil Bhimjiani 2023-07-24 01:35:04 UTC

### Steps to reproduce:
1. Add USE "homed" to make.conf
2. Reemerge world set
3. Start systemd-homed.service & create brand new user with homectl
4. Try to login via tty/console
5. Pull your hair trying to figure out why wouldn't it work. Followed by enough research on pam that qualifies you for PhD on that. :-)

### Troubleshooting:
After 2 days of mind-boggling, unable to login & feeling like digital handicap, I finally pin pointed problem to following line in /etc/pam.d/system-login which was not letting me pass.

`auth		required	pam_shells.so`

Weird. Bash is already listed in /etc/shells. But its /bin/bash which is symlink to /usr/bin/bash (on my systemd-merged-usr profile). So the problem is systemd-homed doesn't allow to login from symlinked shells.

### Proper fix
Upto distro to decide. Option 1 and/or 2.
1. Request upstream systemd to allow login from symlinked shells. Unlikely to happen as they might reason with hardening measure for security.
2. Update sys-apps/baselayout and include all shells with /usr/ prefix (i.e. /usr/bin/bash)

### Quick workaround:
Add /usr/bin/bash to /etc/shells

Comment 1 Sam James archtester

2023-07-24 01:38:34 UTC

Huh.

Comment 2 Rahil Bhimjiani 2023-07-24 02:14:43 UTC

Is causing factor pam_shells or pam_systemd_home? 

If pam_shells then why shadow-users are allowed with /bin/bash and systemd-homed users arent?

So my noob guess is pam_shells is letting through homed-users but pam_systemd_home is probably also checking /etc/shells.

Comment 3 Rahil Bhimjiani 2023-07-24 09:38:36 UTC

Okay. Further troubleshooting. 

So culprit was, I was creating user with `homectl create username --shell=/usr/bin/bash` which is also technically correct and should allow to login. 

For normal shadow users `useradd --shell /usr/bin/bash testuser` will also prevent user from login. 

Final verdict: 
- Nothing to do with systemd 
- pam_shells doesn't consider /bin/bash & /usr/bin/bash as same
- /etc/shells from sys-apps/baselayout should include both variants (/bin/bash & /usr/bin/bash) to avoid such rare bugs. Debian & Fedora are also using both variants.

Comment 4 Rahil Bhimjiani 2023-09-20 08:36:13 UTC

Any update on this?

Comment 5 Mike Gilbert gentoo-dev

2023-09-24 22:10:27 UTC

I don't see anything to "fix" here. pam_shells is operating as intended, and users should use "/bin/bash" instead of "/usr/bin/bash".

If you insist on using /usr/bin/bash, you can always edit /etc/shells manually.

Comment 6 Mike Gilbert gentoo-dev

2024-02-21 16:05:14 UTC

I suppose listing /bin/bash and /usr/bin/bash in /etc/shells would not be harmful, so we can revisit this.