Improve default shells for distros (#1920)

libs/profiles/container_generic.toml

@@ -3,3 +3,4 @@ web_ui_pkg_path = "/pkg"
 # cpu_flags = "none"
 admin_bind_path = "/data/kanidmd.sock"
 default_config_path = "/data/server.toml"
+default_unix_shell_path = "/bin/false"

libs/profiles/developer.toml

@@ -3,3 +3,4 @@ web_ui_pkg_path = "../web_ui/pkg"
 cpu_flags = "native"
 admin_bind_path = "/tmp/kanidmd.sock"
 default_config_path = "../../examples/insecure_server.toml"
+default_unix_shell_path = "/bin/bash"

libs/profiles/release_suse_generic.toml

@@ -3,3 +3,4 @@ web_ui_pkg_path = "/usr/share/kanidm/ui/pkg"
 # cpu_flags = "none"
 admin_bind_path = "/var/run/kanidmd/sock"
 default_config_path = "/etc/kanidm/server.toml"
+default_unix_shell_path = "/bin/bash"

libs/profiles/src/lib.rs

@@ -48,12 +48,14 @@ impl std::fmt::Display for CpuOptLevel {
 }
 
 #[derive(Debug, Deserialize)]
+#[serde(deny_unknown_fields)]
 struct ProfileConfig {
     web_ui_pkg_path: String,
     #[serde(default)]
     cpu_flags: CpuOptLevel,
     admin_bind_path: String,
     default_config_path: String,
+    default_unix_shell_path: String,
 }
 
 pub fn apply_profile() {
@@ -97,4 +99,8 @@ pub fn apply_profile() {
         "cargo:rustc-env=KANIDM_DEFAULT_CONFIG_PATH={}",
         profile_cfg.default_config_path
     );
+    println!(
+        "cargo:rustc-env=KANIDM_DEFAULT_UNIX_SHELL_PATH={}",
+        profile_cfg.default_unix_shell_path
+    );
 }

server/core/src/https/middleware/mod.rs

@@ -10,8 +10,8 @@ use uuid::Uuid;
 
 pub(crate) mod caching;
 pub(crate) mod compression;
-pub(crate) mod security_headers;
 pub(crate) mod hsts_header;
+pub(crate) mod security_headers;
 
 // the version middleware injects
 const KANIDM_VERSION: &str = env!("CARGO_PKG_VERSION");

server/lib/src/idm/event.rs

@@ -323,19 +323,13 @@ impl AuthEventStep {
             }
 
             AuthStep::Begin(mech) => match sid {
-                Some(sessionid) => Ok(AuthEventStep::Begin(AuthEventStepMech {
+                Some(sessionid) => Ok(AuthEventStep::Begin(AuthEventStepMech { sessionid, mech })),
-                    sessionid,
-                    mech,
-                })),
                 None => Err(OperationError::InvalidAuthState(
                     "session id not present in cred presented to 'begin' step".to_string(),
                 )),
             },
             AuthStep::Cred(cred) => match sid {
-                Some(sessionid) => Ok(AuthEventStep::Cred(AuthEventStepCred {
+                Some(sessionid) => Ok(AuthEventStep::Cred(AuthEventStepCred { sessionid, cred })),
-                    sessionid,
-                    cred,
-                })),
                 None => Err(OperationError::InvalidAuthState(
                     "session id not present in cred to 'cred' step".to_string(),
                 )),

unix_integration/src/constants.rs

@@ -6,7 +6,7 @@ pub const DEFAULT_TASK_SOCK_PATH: &str = "/var/run/kanidm-unixd/task_sock";
 pub const DEFAULT_DB_PATH: &str = "/var/cache/kanidm-unixd/kanidm.cache.db";
 pub const DEFAULT_CONN_TIMEOUT: u64 = 2;
 pub const DEFAULT_CACHE_TIMEOUT: u64 = 15;
-pub const DEFAULT_SHELL: &str = "/bin/sh";
+pub const DEFAULT_SHELL: &str = env!("KANIDM_DEFAULT_UNIX_SHELL_PATH");
 pub const DEFAULT_HOME_PREFIX: &str = "/home/";
 pub const DEFAULT_HOME_ATTR: HomeAttr = HomeAttr::Uuid;
 pub const DEFAULT_HOME_ALIAS: Option<HomeAttr> = Some(HomeAttr::Spn);

unix_integration/src/resolver.rs

@@ -302,7 +302,7 @@ where
                 let exists = Path::new(shell).exists();
                 if !exists {
                     info!(
-                        "User requested shell is not present on this system - {}",
+                        "User shell is not present on this system - {}. Check `/etc/shells` for valid shell options.",
                         shell
                     )
                 }