Remove silent lock for login shell bash/sh on non-admin users

Added some security information in YANG model, and it is now up to the system administrator to handle potential security issues. This fix #616
kernelkit · Sep 16, 2024 · d1a14c6 · d1a14c6
1 parent 020a604
commit d1a14c6
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 18 deletions.
diff --git a/doc/ChangeLog.md b/doc/ChangeLog.md
@@ -33,11 +33,12 @@ All notable changes to the project are documented in this file.
   regression introduced in v24.06.0
 - Spellcheck path to `/var/lib/containers` when unpacking OCI archives
   on container upgrade
+- Fix #616: Silent failure when selecting bash as login shell for
+  non-admin user, this silent lock has been removed.
 - The timeout before giving up on loading the `startup-config` at boot
   is now 1 minute, just like operations via other front-ends (NETCONF
   and RESTCONF). This was previously (incorrectly) set to 10 seconds.
 
-
 [v24.08.0][] - 2024-08-30
 -------------------------
 
@@ -56,7 +57,7 @@ Finally, the following consumer boards are now fully supported:
 - Upgrade Buildroot to 2024.02.5 (LTS)
 - Upgrade Linux kernel to 6.6.46 (LTS)
 - Issue #158: enhance security of factory reset.  All file content
-  is now overwritten x3, the last time with zeroes, then removed.  
+  is now overwritten x3, the last time with zeroes, then removed.
   Example, on the NanoPi R2S this process takes ~30 seconds, but may
   take longer in setups with bigger configurations, e.g., containers
 - Issue #497: support for auto-mounting USB media.  Useful for logging,

diff --git a/src/confd/src/ietf-system.c b/src/confd/src/ietf-system.c
@@ -45,11 +45,11 @@ static char   *os  = NULL;
 static char   *nm  = NULL;
 static char   *id  = NULL;
 
-static struct { char *name, *shell; bool admin; } shells[] = {
-	{ "infix-system:sh",    "/bin/sh",    true  },
-	{ "infix-system:bash",  "/bin/bash",  true  },
-	{ "infix-system:clish", "/bin/clish", false },
-	{ "infix-system:false", "/bin/false", false },
+static struct { char *name, *shell; } shells[] = {
+	{ "infix-system:sh",    "/bin/sh"    },
+	{ "infix-system:bash",  "/bin/bash"  },
+	{ "infix-system:clish", "/bin/clish" },
+	{ "infix-system:false", "/bin/false" }
 };
 
 static char *strip_quotes(char *str)
@@ -687,7 +687,7 @@ static int is_valid_username(const char *user)
 	return 1;
 }
 
-static char *sys_find_usable_shell(sr_session_ctx_t *sess, char *name, bool is_admin)
+static char *sys_find_usable_shell(sr_session_ctx_t *sess, char *name)
 {
 	const char *conf = NULL;
 	char *shell = NULL;
@@ -708,11 +708,6 @@ static char *sys_find_usable_shell(sr_session_ctx_t *sess, char *name, bool is_a
 			if (strcmp(shells[i].name, conf))
 				continue;
 
-			if (!is_admin && shells[i].admin) {
-				WARN("Selected login shell for %s only allowed for administrators!", name);
-				break;
-			}
-
 			shell = shells[i].shell;
 			break;
 		}
@@ -777,7 +772,7 @@ static int sys_del_user(char *user, bool silent)
  */
 static int sys_call_adduser(sr_session_ctx_t *sess, char *name, uid_t uid, gid_t gid)
 {
-	char *shell = sys_find_usable_shell(sess, name, is_admin_user(sess, name));
+	char *shell = sys_find_usable_shell(sess, name);
 	char *eargs[] = {
 		"adduser", "-d", "-s", shell, "-u", NULL, "-G", NULL, "-H", name, NULL
 	};
@@ -1125,7 +1120,7 @@ static sr_error_t handle_sr_shell_update(sr_session_ctx_t *sess, struct confd *c
 	if (!user)
 		return SR_ERR_OK;
 
-	shell = sys_find_usable_shell(sess, (char *)user, is_admin_user(sess, user));
+	shell = sys_find_usable_shell(sess, (char *)user);
 	if (set_shell(user, shell)) {
 		AUDIT("Failed updating shell to %s for user \"%s\"", shell, user);
 		err = SR_ERR_SYS;
@@ -1437,7 +1432,7 @@ static int change_nacm(sr_session_ctx_t *session, uint32_t sub_id, const char *m
 		bool is_admin = is_admin_user(session, user);
 		const char *shell;
 
-		shell = sys_find_usable_shell(session, (char *)user, is_admin);
+		shell = sys_find_usable_shell(session, (char *)user);
 		if (set_shell(user, shell))
 			AUDIT("Failed adjusting shell for user \"%s\"", user);
 

diff --git a/src/confd/yang/confd.inc b/src/confd/yang/confd.inc
@@ -32,7 +32,7 @@ MODULES=(
 	"infix-lldp@2023-08-23.yang"
 	"infix-dhcp-client@2024-04-12.yang"
 	"infix-meta@2024-06-19.yang"
-	"infix-system@2024-06-15.yang"
+	"infix-system@2024-09-13.yang"
 	"infix-services@2024-05-30.yang"
 	"ieee802-ethernet-interface@2019-06-21.yang"
 	"infix-ethernet-interface@2024-02-27.yang"

diff --git a/src/confd/yang/infix-system@2024-06-15.yang → src/confd/yang/infix-system@2024-09-13.yang b/src/confd/yang/infix-system@2024-06-15.yang → src/confd/yang/infix-system@2024-09-13.yang
@@ -16,6 +16,11 @@ module infix-system {
   contact      "kernelkit@googlegroups.com";
   description  "Infix augments and deviations to ietf-system.";
 
+  revision 2024-09-13 {
+    description "Add some informative help about different shells and security.";
+    reference "internal";
+  }
+
   revision 2024-06-15 {
     description "Merge infix-shell-types.yang to add shell-type identities.";
     reference "internal";
@@ -242,7 +247,12 @@ module infix-system {
         base shell-type;
       }
       default false;
-      description "Set UNIX login shell for user, default: none (security)";
+      description "Set UNIX login shell for user.
+
+                   For security reasons avoid shells bash and sh for non-admin users.
+                   This since this may open the system for local security issues.
+
+                   default: none (security)";
     }
   }