From 62ce42f8c15ec76f177898f86c47921e83d53340 Mon Sep 17 00:00:00 2001
From: Firstyear <william@blackhats.net.au>
Date: Mon, 31 Jul 2023 14:58:27 +1000
Subject: [PATCH] Improve default shells for distros (#1920)

---
 libs/profiles/container_generic.toml    |  1 +
 libs/profiles/developer.toml            |  1 +
 libs/profiles/release_suse_generic.toml |  1 +
 libs/profiles/src/lib.rs                |  6 ++++++
 server/core/src/https/middleware/mod.rs |  2 +-
 server/lib/src/idm/event.rs             | 10 ++--------
 unix_integration/src/constants.rs       |  2 +-
 unix_integration/src/resolver.rs        |  2 +-
 8 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/libs/profiles/container_generic.toml b/libs/profiles/container_generic.toml
index 7d36ab463..1a09762bd 100644
--- a/libs/profiles/container_generic.toml
+++ b/libs/profiles/container_generic.toml
@@ -3,3 +3,4 @@ web_ui_pkg_path = "/pkg"
 # cpu_flags = "none"
 admin_bind_path = "/data/kanidmd.sock"
 default_config_path = "/data/server.toml"
+default_unix_shell_path = "/bin/false"
diff --git a/libs/profiles/developer.toml b/libs/profiles/developer.toml
index c1e2b42cc..a8edafe2e 100644
--- a/libs/profiles/developer.toml
+++ b/libs/profiles/developer.toml
@@ -3,3 +3,4 @@ web_ui_pkg_path = "../web_ui/pkg"
 cpu_flags = "native"
 admin_bind_path = "/tmp/kanidmd.sock"
 default_config_path = "../../examples/insecure_server.toml"
+default_unix_shell_path = "/bin/bash"
diff --git a/libs/profiles/release_suse_generic.toml b/libs/profiles/release_suse_generic.toml
index 1522d7512..afe21fd28 100644
--- a/libs/profiles/release_suse_generic.toml
+++ b/libs/profiles/release_suse_generic.toml
@@ -3,3 +3,4 @@ web_ui_pkg_path = "/usr/share/kanidm/ui/pkg"
 # cpu_flags = "none"
 admin_bind_path = "/var/run/kanidmd/sock"
 default_config_path = "/etc/kanidm/server.toml"
+default_unix_shell_path = "/bin/bash"
diff --git a/libs/profiles/src/lib.rs b/libs/profiles/src/lib.rs
index 4797afc41..f9e708c4a 100644
--- a/libs/profiles/src/lib.rs
+++ b/libs/profiles/src/lib.rs
@@ -48,12 +48,14 @@ impl std::fmt::Display for CpuOptLevel {
 }
 
 #[derive(Debug, Deserialize)]
+#[serde(deny_unknown_fields)]
 struct ProfileConfig {
     web_ui_pkg_path: String,
     #[serde(default)]
     cpu_flags: CpuOptLevel,
     admin_bind_path: String,
     default_config_path: String,
+    default_unix_shell_path: String,
 }
 
 pub fn apply_profile() {
@@ -97,4 +99,8 @@ pub fn apply_profile() {
         "cargo:rustc-env=KANIDM_DEFAULT_CONFIG_PATH={}",
         profile_cfg.default_config_path
     );
+    println!(
+        "cargo:rustc-env=KANIDM_DEFAULT_UNIX_SHELL_PATH={}",
+        profile_cfg.default_unix_shell_path
+    );
 }
diff --git a/server/core/src/https/middleware/mod.rs b/server/core/src/https/middleware/mod.rs
index ac8c186b5..227caac64 100644
--- a/server/core/src/https/middleware/mod.rs
+++ b/server/core/src/https/middleware/mod.rs
@@ -10,8 +10,8 @@ use uuid::Uuid;
 
 pub(crate) mod caching;
 pub(crate) mod compression;
-pub(crate) mod security_headers;
 pub(crate) mod hsts_header;
+pub(crate) mod security_headers;
 
 // the version middleware injects
 const KANIDM_VERSION: &str = env!("CARGO_PKG_VERSION");
diff --git a/server/lib/src/idm/event.rs b/server/lib/src/idm/event.rs
index 0dfbd113b..60a0dc41e 100644
--- a/server/lib/src/idm/event.rs
+++ b/server/lib/src/idm/event.rs
@@ -323,19 +323,13 @@ impl AuthEventStep {
             }
 
             AuthStep::Begin(mech) => match sid {
-                Some(sessionid) => Ok(AuthEventStep::Begin(AuthEventStepMech {
-                    sessionid,
-                    mech,
-                })),
+                Some(sessionid) => Ok(AuthEventStep::Begin(AuthEventStepMech { sessionid, mech })),
                 None => Err(OperationError::InvalidAuthState(
                     "session id not present in cred presented to 'begin' step".to_string(),
                 )),
             },
             AuthStep::Cred(cred) => match sid {
-                Some(sessionid) => Ok(AuthEventStep::Cred(AuthEventStepCred {
-                    sessionid,
-                    cred,
-                })),
+                Some(sessionid) => Ok(AuthEventStep::Cred(AuthEventStepCred { sessionid, cred })),
                 None => Err(OperationError::InvalidAuthState(
                     "session id not present in cred to 'cred' step".to_string(),
                 )),
diff --git a/unix_integration/src/constants.rs b/unix_integration/src/constants.rs
index 47f0b0323..368ed9fa3 100644
--- a/unix_integration/src/constants.rs
+++ b/unix_integration/src/constants.rs
@@ -6,7 +6,7 @@ pub const DEFAULT_TASK_SOCK_PATH: &str = "/var/run/kanidm-unixd/task_sock";
 pub const DEFAULT_DB_PATH: &str = "/var/cache/kanidm-unixd/kanidm.cache.db";
 pub const DEFAULT_CONN_TIMEOUT: u64 = 2;
 pub const DEFAULT_CACHE_TIMEOUT: u64 = 15;
-pub const DEFAULT_SHELL: &str = "/bin/sh";
+pub const DEFAULT_SHELL: &str = env!("KANIDM_DEFAULT_UNIX_SHELL_PATH");
 pub const DEFAULT_HOME_PREFIX: &str = "/home/";
 pub const DEFAULT_HOME_ATTR: HomeAttr = HomeAttr::Uuid;
 pub const DEFAULT_HOME_ALIAS: Option<HomeAttr> = Some(HomeAttr::Spn);
diff --git a/unix_integration/src/resolver.rs b/unix_integration/src/resolver.rs
index 19ce9e148..0b36cbee5 100644
--- a/unix_integration/src/resolver.rs
+++ b/unix_integration/src/resolver.rs
@@ -302,7 +302,7 @@ where
                 let exists = Path::new(shell).exists();
                 if !exists {
                     info!(
-                        "User requested shell is not present on this system - {}",
+                        "User shell is not present on this system - {}. Check `/etc/shells` for valid shell options.",
                         shell
                     )
                 }