[2019-09-01 07:38] Niels Thykier <ni...@thykier.net> > > > [2019-03-13 17:17] Dmitry Bogatov <kact...@debian.org> > > > > Package: bash > > > > Version: 5.0-2 > > > > Severity: wishlist > > > > > > > > Dear Maintainer, > > > > > > > > To contribute to efford of of making bash non-essential, I propose > > > > following patch, that should resolve issue with login #620898 (in CC). > > > > [...] > > Hi Dmitry, > > It is my belief that the change would be a severe regression when > applied to deconfigure and I request that you cancel/update your NMU to > avoid breaking system configuration during upgrades. > > (Note: I am not commenting on the entire change - only the deconfigure > part). > [...]
Niels, thank you for warning. I canceled upload. I considered another version of this patch (on bottom), but it have same flaw -- remove-install cycle is supposed to preserve configuration. Bringing back into thread #620898. Dear maintainer of `login`, idea of changing /etc/passwd in bash maintainer script failed. As previously discussed, spawning /bin/sh when user's shell not found is security hole, but what about patch that checks specifically for this case: * if user=root * if shell=/bin/bash * if /bin/bash is missing * then spawn(/bin/sh) // instead of "file not found" error. What do you think? Will you apply such patch? From ae1c74362a5d005766f40b6e19cdbf1621fd197c Mon Sep 17 00:00:00 2001 From: Dmitry Bogatov <kact...@debian.org> Date: Sun, 1 Sep 2019 14:03:55 +0000 Subject: [PATCH] Change shells of users from /bin/bash to /bin/sh on removal Closes: #924505 --- debian/bash.prerm | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/debian/bash.prerm b/debian/bash.prerm index 52052a2..a54a2da 100644 --- a/debian/bash.prerm +++ b/debian/bash.prerm @@ -8,7 +8,14 @@ case "$1" in /usr/share/man/man7/bash-builtins.7.gz ;; - remove|deconfigure) + deconfigure) + ;; + + remove|purge) + remove-shell /bin/bash + for user in $(awk -F: '$7 == "/bin/bash" { print $1 }' /etc/passwd) ; do + usermod -s /bin/sh "${user}" + done ;; failed-upgrade) -- Note, that I send and fetch email in batch, once in a few days. Please, mention in body of your reply when you add or remove recepients.