GNU bug report logs - #68387
guix shell --container --share=/etc overrides shadow files

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Package: guix; Reported by: Christina O'Donnell <cdo@HIDDEN>; dated Thu, 11 Jan 2024 15:09:01 UTC; Maintainer for guix is bug-guix@HIDDEN.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 11 Jan 2024 15:08:54 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jan 11 10:08:53 2024
Received: from localhost ([127.0.0.1]:33591 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rNwfs-0001ya-P1
	for submit <at> debbugs.gnu.org; Thu, 11 Jan 2024 10:08:53 -0500
Received: from lists.gnu.org ([2001:470:142::17]:38272)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <cdo@HIDDEN>) id 1rNvlb-0005zx-OL
 for submit <at> debbugs.gnu.org; Thu, 11 Jan 2024 09:10:47 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <cdo@HIDDEN>) id 1rNvlY-0007hB-81
 for bug-guix@HIDDEN; Thu, 11 Jan 2024 09:10:40 -0500
Received: from vmi993448.contaboserver.net ([194.163.141.236] helo=mutix.org)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <cdo@HIDDEN>) id 1rNvlW-00031s-2V
 for bug-guix@HIDDEN; Thu, 11 Jan 2024 09:10:40 -0500
Received: from [192.168.1.81] (host86-132-246-87.range86-132.btcentralplus.com
 [86.132.246.87]) (Authenticated sender: cdo)
 by mutix.org (Postfix) with ESMTPSA id 30CB1A6320E
 for <bug-guix@HIDDEN>; Thu, 11 Jan 2024 15:10:34 +0100 (CET)
Message-ID: <c4025879-58b3-7524-6e8e-0749059ac086@HIDDEN>
Date: Thu, 11 Jan 2024 14:10:33 +0000
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.15.0
From: Christina O'Donnell <cdo@HIDDEN>
Subject: guix shell --container --share=/etc overrides shadow files
To: bug-guix@HIDDEN
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=194.163.141.236; envelope-from=cdo@HIDDEN;
 helo=mutix.org
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.0 (+)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Thu, 11 Jan 2024 10:08:51 -0500
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

Hi Guix,

Running the below command as root overrides the running system's shadow 
files
(/etc/shadow, /etc/passwd, and /etc/group).

WARNING: Don't run the following outside of a VM!

   guix shell --container --share=/etc

This erases the current user from the passwd database, meaning `su` and 
`sudo`
no longer work, and you can't log in.

Discussion

The context is that I was tracking down a libreoffice bug using guix
time-machine and ran the very clever command trying to get the display 
working.

   sudo guix time-machine ... -- environment -C --ad-hoc coreutils sway \
     --preserve='DISPLAY' --preserve='XDG' --share=/etc -- sway

Now of course if you write random commands with sudo, you should expect 
to brick
your system from time to time. And setting `--share=/etc` wasn't 
particularly
smart idea. However, it would have been nice to not have that wipe my 
shadow files.

For example, being warned about sharing /etc with a container.

To reproduce, run the Guix command in a basic VM image, connecting to Guix
daemon on the host.[1]

Please let me know if you have any questions!

Kind regards,
  - Christina O'Donnell

https://mutix.org/

---

[1] See my blog for more details:
https://mutix.org/pages/blog/20240109-how-to-run-guix-in-vm.html
Acknowledgement sent to Christina O'Donnell <cdo@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#68387; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Sat, 20 Jan 2024 12:30:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.