Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Changing shell to anything but /bin/sh and /bin/bash breaks SSH #810

Open
mattfbacon opened this issue Dec 30, 2023 · 3 comments
Open

Changing shell to anything but /bin/sh and /bin/bash breaks SSH #810

mattfbacon opened this issue Dec 30, 2023 · 3 comments
Labels
bug Something isn't working packages Add or improve packages of the repository

Comments

@mattfbacon
Copy link

The fish package doesn't add fish to /etc/shells which causes dropbear to reject new SSH sessions with "permission denied" because User 'root' has invalid shell, rejected. The package should add fish to /etc/shells.
@mattfbacon mattfbacon added bug Something isn't working packages Add or improve packages of the repository labels Dec 30, 2023
@Eeems Eeems changed the title Add fish to /etc/shells Changing shell to anything but /bin/sh and /bin/bash breaks SSH Dec 30, 2023
@Eeems
Copy link
Member

Eeems commented Dec 30, 2023

We'll have to sort out how to add values to /etc/shells automatically for all the different shells in entware. That, or have something on startup that forces the shell for root to be /bin/sh and then makes sure to add code to launch the other shell to the user profile.

@pmnlla
Copy link

pmnlla commented Feb 14, 2025

FISH is not a POSIX compliant shell. This means that a large amount of scripts that a system bringup is reliant upon, which need to be run within a shell, may not work. Setting the root shell as fish is never a good idea, as any linux system has a large reliance on the root user, and breaking it in minor ways can cause catastrophic system-wide failure.

When using a remarkable tablet, xochitl handles 99% of your user interactions. However, as soon as you break out of it, e.g. with SSH or USART, you exhibit full control over every tiny thing that happens in the tablet. It is insanely easy to break a system with the root user, and this, combined with a lack of security restrictions, are the reason why certain Linux software straight up refuses to run as root, and opts for need-based authentication.

Yes, fish should be added to /etc/shells. No, you should not set it as your main shell.

But there's a massive chance I'm wrong. For future reference, I'll try to load dash to recreate the issue with, as well as fish.

@mattfbacon
Copy link
Author

I don't really understand this point, scripts would write #!/bin/sh or similar, that will not be affected by the user's shell. In my opinion, and I haven't found anything to contradict this, the shell set in /etc/passwd is only meant for interactive use by the user. This is the same principle used by /bin/nologin to deny login -- you can still execute commands with this user by just running a shell manually -- the login shell is only used for logins. Yes, this can break some things, like shell completions, that add stuff to ~/.profile or similar, but it is a very "soft" breakage, where the completions are ignored (and they wouldn't work anyway in fish for example).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working packages Add or improve packages of the repository
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Eeems @pmnlla @mattfbacon