GNU bug report logs - #68387
guix shell --container --share=/etc overrides shadow files

Previous Next

To reply to this bug, email your comments to 68387 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Christina O'Donnell <cdo <at> mutix.org>
To: bug-guix <at> gnu.org
Subject: guix shell --container --share=/etc overrides shadow files
Date: Thu, 11 Jan 2024 14:10:33 +0000

Hi Guix,

Running the below command as root overrides the running system's shadow 
files
(/etc/shadow, /etc/passwd, and /etc/group).

WARNING: Don't run the following outside of a VM!

  guix shell --container --share=/etc

This erases the current user from the passwd database, meaning `su` and 
`sudo`
no longer work, and you can't log in.

Discussion

The context is that I was tracking down a libreoffice bug using guix
time-machine and ran the very clever command trying to get the display 
working.

  sudo guix time-machine ... -- environment -C --ad-hoc coreutils sway \
    --preserve='DISPLAY' --preserve='XDG' --share=/etc -- sway

Now of course if you write random commands with sudo, you should expect 
to brick
your system from time to time. And setting `--share=/etc` wasn't 
particularly
smart idea. However, it would have been nice to not have that wipe my 
shadow files.

For example, being warned about sharing /etc with a container.

To reproduce, run the Guix command in a basic VM image, connecting to Guix
daemon on the host.[1]

Please let me know if you have any questions!

Kind regards,
 - Christina O'Donnell

https://mutix.org/

---

[1] See my blog for more details:
https://mutix.org/pages/blog/20240109-how-to-run-guix-in-vm.html

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.