Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 928978 - acct-user/svn: an update silently changes svn user login shell and home path
Summary: acct-user/svn: an update silently changes svn user login shell and home path
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Andreas K. Hüttel
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-04-09 07:19 UTC by Vadim
Modified: 2024-05-07 22:24 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Vadim 2024-04-09 07:19:33 UTC 
I've noticed that all accesses to svn+ssh stopped working after an update.

It turned out that shell and home path of svn user were silently changed in /etc/passwd:

===
/mnt/btrfs/snaps/root-2024.04.05/etc # diff passwd /etc/passwd
19c19
< svn:x:1002:399:System user; svn:/home/svn:/bin/bash
---
> svn:x:1002:399:System user; svn:/dev/null:/sbin/nologin
===

from /var/log/auth.log:
===
Apr  5 10:23:24 nedoserver usermod[20478]: change user 'svn' home from '/home/svn' to '/dev/null'
Apr  5 10:23:24 nedoserver usermod[20478]: change user 'svn' shell from '/bin/bash' to '/sbin/nologin'
===

As a result, ~/.ssh/authorized_keys could not be found and svn+ssh authorization stopped working.
Comment 1 Enne Eziarc 2024-04-09 14:58:00 UTC 
+1, I don't use SVN but I've had my gitea install and a few other servers broken like this. The silent part is especially bothersome.

The mechanism ought to be sticky if an existing homedir is valid, or at least not change it from a valid value to a non-dir. Can we not use /var/empty/ for that at least?
Comment 2 Vadim 2024-04-10 08:21:21 UTC 
Related bug: https://bugs.gentoo.org/819414
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-04-10 08:31:28 UTC 
(In reply to Vadim from comment #2)
> Related bug: https://bugs.gentoo.org/819414

The answer is essentially the same, too, although maybe we should document _HOME and such explicitly there on https://wiki.gentoo.org/wiki/Practical_guide_to_the_GLEP_81_migration.
Comment 4 Vadim 2024-04-11 12:51:52 UTC 
So what would be the workaround for this case?

In general, I still believe that neither acct-user/svn nor acct-user/git should blindly change (or actually set to default) appropriate user's path and shell *if* that user happened to already exist.
 
When they are installed anew and no user existed before installation time it is OK though.
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2024-04-30 12:05:00 UTC 
(In reply to Vadim from comment #4)
> So what would be the workaround for this case?
> 
> In general, I still believe that neither acct-user/svn nor acct-user/git
> should blindly change (or actually set to default) appropriate user's path
> and shell *if* that user happened to already exist.
>  
> When they are installed anew and no user existed before installation time it
> is OK though.

See comment #3.
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-05-07 22:24:12 UTC 
(In reply to Sam James from comment #3)
> (In reply to Vadim from comment #2)
> > Related bug: https://bugs.gentoo.org/819414
> 
> The answer is essentially the same, too, although maybe we should document
> _HOME and such explicitly there on
> https://wiki.gentoo.org/wiki/Practical_guide_to_the_GLEP_81_migration.

I've added that now at https://wiki.gentoo.org/index.php?title=Practical_guide_to_the_GLEP_81_migration&diff=1297221&oldid=1266511.