On 2024-02-15 16:30:25 -0800, Russ Allbery wrote: > I was only able to find this discussion of why pkexec checks $SHELL, and > it doesn't support my assumption that it was an intentional security > measure, so I may well be wrong in that part of my analysis. Apologies > for that; I clearly should have done more research. git blame points to a > commit that only references this thread: > > https://lists.freedesktop.org/archives/polkit-devel/2009-December/000282.html > > which seems to imply that this was done to match sudo behavior and because > the author believed this was the right way to validate the SHELL setting.
This is the kind of information that should have been put as a comment in the source code. But the pkexec code seems to be buggy because sudo does *not* check that the $SHELL value is in /etc/shells? In the sudo(8) man page: -s, --shell Run the shell specified by the SHELL environment variable if it is set or the shell specified by the invoking user's password database entry. [...] [...] SHELL Used to determine shell to run with -s option. and there is no mention of /etc/shells. /etc/shells is mentioned in sudoers(5): runas_check_shell If enabled, sudo will only run commands as a user whose shell appears in the /etc/shells file, even if the invoking user's Runas_List would otherwise permit it. [...] So this concerns the login shell of the target user, not the $SHELL value. This is confirmed by the sudo source: /* * Returns true if the user's shell is considered to be valid. */ bool user_shell_valid(const struct passwd *pw) { debug_decl(user_shell_valid, SUDOERS_DEBUG_NSS); if (!def_runas_check_shell) debug_return_bool(true); debug_return_bool(valid_shell(pw->pw_shell)); } where valid_shell() does while ((entry = CALL(getusershell)()) != NULL) { if (strcmp(entry, shell) == 0) debug_return_bool(true); } But chsh will set the login shell to a pathname from /etc/shells, so that there are no issues with aliases pathnames in this case. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)