nix-darwin icon indicating copy to clipboard operation
nix-darwin copied to clipboard

Published 20 hours ago verified publisher icon LnL7

macOS 11.5.1 has /etc/shells that nix-darwin doesn't recognize

Open lilyball opened this issue 3 years ago • 4 comments

nix-darwin won't overwrite the /etc/shells file on a macOS 11.5.1 install, as it doesn't recognize the contents. The file looks like

# List of acceptable shells for chpass(1).
# Ftpd will not allow users to connect who are not using
# one of these shells.

/bin/bash
/bin/csh
/bin/dash
/bin/ksh
/bin/sh
/bin/tcsh
/bin/zsh

This is rather surprising as the /etc/shells that nix-darwin generates has precisely this as the prefix.

lilyball avatar Jul 29 '21 21:07 lilyball

If I'm not mistaken, knownSha256Hashes has to be set for the etc activation script to potentially replace a file.

I say this because I don't see the key set here, for some reason: https://github.com/LnL7/nix-darwin/blob/007d700e644ac588ad6668e6439950a5b6e2ff64/modules/system/shells.nix#L27

I guess it was missed when knownSha256Hashes was added?

winterqt avatar Jul 30 '21 00:07 winterqt

IIRC when I asked about this LnL7 said that it was deliberate in case writing to /etc/shells bricked something. I think it's riskier if anything to have to manually move it out of the way on every OS upgrade, though, so I'd be in favour of adding the hash.

emilazy avatar Dec 24 '21 03:12 emilazy

Since /etc/shells doesn't seem to matter on at least as of macOS 12 (except perhaps for FTP as indicated by the header comment), I ended up just doing environment.shells = mkForce [ ]; in my own config to bypass this.

Also if /etc/shells is a particular concern, maybe it's worth switching to using a custom activation script that only writes the file out if it contains something other than the default, thus ensuring that fresh nix-darwin installs don't print this warning.

lilyball avatar Dec 26 '21 22:12 lilyball

Or, heck, use the custom script to make it write the file out as a real file instead of as a symlink, and enforcing the presence of all default shells (so environment.shells = mkForce [ pkgs.fish ] doesn't make bash illegal). This way if something besides ftp really does rely on this (or nix-darwin is being used on a version of macOS that still cares about /etc/shells for login) then there's no risk of it being a symlink (e.g. if you install nix-darwin and then uninstall Nix).

lilyball avatar Dec 26 '21 22:12 lilyball