wrong shell

[youngunix]

Hello,

When invoking the command doas -s and entering the user's password, the root login drops into the wrong shell (not bash). Using su produces the desired effect. This started happening after I switched to zsh for the wheel user not root. I already checked /etc/passwd and confirmed that both users have the correct shells assigned.

What's strange is once I'm root, I run echo $SHELL and the output is /bin/bash. However, if I run bash I get the desired effect (custom colors and configs). Are there any config files or troubleshooting steps I need to look into?

doas version: 6.8.2
Gentoo 17.1 -STABLE
kernel 6.1.19

[Duncaen]

From the man page:

-s Execute the shell from SHELL or /etc/passwd.

This is the same as in upstream doas and sudo does the same.

[youngunix]

I know what -s does! But are you saying that it will drop into the admin user's shell or the root's shell?

Because if it is supposed to drop to the admin user's shell then it is not working as it should since running echo $SHELL provides the output /bin/bash instead of /bin/zsh.

If it is supposed to drop to the root's shell which is bash then it only works half way because it is not reading from /etc/bashrc.

[Duncaen]

The shell from SHELL env or the shell of the executing user in /etc/passwd, just like sudo.

OpenDoas/doas.c

Lines 314 to 322 in b96106b

	if (sflag) {
	sh = getenv("SHELL");
	if (sh == NULL || *sh == '\0') {
	shargv[0] = mypw->pw_shell;
	} else
	shargv[0] = sh;
	argv = shargv;
	argc = 1;
	}

[Duncaen]

Because if it is supposed to drop to the admin user's shell then it is not working as it should since running echo $SHELL provides the output /bin/bash instead of /bin/zsh.

The SHELL environment variable after execution will default to the target users shell from /etc/passwd, unless you configure SHELL to be handled differently in /etc/doas.conf.

If it is supposed to drop to the root's shell which is bash then it only works half way because it is not reading from /etc/bashrc.

Its just executing the shell, I don't see how it would stop bash from reading /etc/bashrc.

[youngunix]

From what you are saying, it should drop to zsh but instead it's dropping to bash and using zsh config (maybe!).

The only thing I have in doas.conf is permit :wheel. Where is the config to tell it to use a specific shell?

[Duncaen]

It will always use the shell from SHELL from your environment or the shell from /etc/passwd for your user.

The configuration can just change the default value for the SHELL the command is executed with.

The SHELL variable set by doas is not used by doas to decide on the shell and does not reflect the shell that is used, its always the shell of the target user from /etc/passwd.

[Duncaen]

From what you are saying, it should drop to zsh but instead it's dropping to bash and using zsh config (maybe!).

Its really hard to follow which shell is which and what you expect to happen.

% cat /etc/passwd|grep -e duncan -e root
root:x:0:0:root:/root:/bin/mksh
duncan:x:1000:1000::/home/duncan:/bin/zsh
% id -u
1000

doas -s uses your users preference to choose the shell, either SHELL environment variable or your
shell in /etc/passwd, the environment variable of SHELL after executing the command reflects the shell of the target user, /bin/mksh in this case.

With SHELL=/bin/zsh (from the current environment):

% env | grep SHELL
SHELL=/bin/zsh
% doas -s
tux# env |grep SHELL
SHELL=/bin/mksh
tux# cat /proc/$$/cmdline
/bin/zsh

With SHELL=/bin/bash (explicitly set):

% SHELL=/bin/bash doas -s
bash-5.1# env |grep SHELL
SHELL=/bin/mksh
bash-5.1# cat /proc/$$/cmdline
/bin/bash

With SHELL= (unset, now its using the shell of the user "duncan" from /etc/passwd):

% SHELL= doas -s
# env |grep SHELL
SHELL=/bin/mksh
tux# cat /proc/$$/cmdline
/bin/zsh

[youngunix]

I tested the above scenarios and they all check out, and as a conclusion, this is the workaround SHELL=/bin/bash doas -s. However, I still believe this is a bug that needs to be addressed because the outcome is confusing as the software doesn't do what it's supposed to. As of right now, the result of running the command doas -s seems to be in limbo. The desired outcome should be either drop to the user's SHELL (in this case zsh) or the root's SHELL (in this case bash), not both at the same time.

[Duncaen]

I still believe this is a bug that needs to be addressed because the outcome is confusing as the software doesn't do what it's supposed to.

What is it supposed to do? doas sets the environment variables to the default values, similar to login(1).

doas -s is basically just an alias for doas $SHELL at the moment.

sudo does pass through the executing users SHELL environment variable if its executed with the -s/--shell flag:
https://github.com/sudo-project/sudo/blob/86002226b65286ba1bd8fec12e73a900e240970b/plugins/sudoers/env.c#L711-L713

But I don't currently see a good reason for doing that and I don't really want to divert from upstream doas, so if there is a good reason someone or myself should first get a patch into the upstream doas to change that behavior.

The desired outcome should be either drop to the user's SHELL (in this case zsh) or the root's SHELL (in this case bash), not both at the same time.

I don't really understand what you mean by that. SHELL is as far as I understand just the default shell of the user, it doesn't have to match the shell that is currently running, otherwise bash/zsh/.. etc should set them when they are being executed interactively since they "take over" the shell and now the shell and SHELL don't match anymore.

[trois-six]

doas -s does exactly the same as sudo -s; what I would like is to have the equivalent of sudo -i, because sudo -i permits to manage well the transition from a shell (for ex zsh for user id 1000) to another (for ex bash for user id 1) by launching an interactive shell.