bug#48974: A possible shepherd bug (it's very minor)

[Leo Prikler]

Hi,

Am Samstag, den 12.06.2021, 20:09 +0000 schrieb jbranso@dismail.de:
> June 12, 2021 3:39 PM, "Leo Prikler" <leo.prikler@student.tugraz.at>
> wrote:
> 
> > Am Samstag, den 12.06.2021, 09:26 -0400 schrieb Joshua Branson:
> > 
> > > Hello!
> > > 
> > > I've had this issue every since I enabled automatic login on my
> > > guix
> > > system like so:
> > > 
> > > #+BEGIN_SRC scheme
> > > (define %my-desktop-services
> > > (modify-services
> > > %desktop-services
> > > (mingetty-service-type config =>
> > > (mingetty-configuration
> > > (inherit config)
> > > ;;auto login as joshua
> > > (auto-login "joshua")))))
> > > 
> > > (operating-system
> > > ...
> > > (services (list %my-desktop-services)))
> > > #+END_SRC
> > 
> > I am sorry to say this, but rather than this being (just) a bug
> > with
> 
> Thank you for speaking so gently! :)
> 
> > shepherd, your config looks seriously borked. Why are you asking
> > Guix
> > to autologin you on *every available console*?
> 
> HAHAHA! That's what I'm doing! I forgot that! Honestly, I did that,
> because I
> couldn't figure out how to code "just auto log into console 1 ONLY".
> :)
> 
> Would you mind explaining how bad of a decision this is? Is this a
> BAD security practice?
It is seriously bad practice.  With just one TTY, you can usually
suspend it with programs such as vlock, plus it's expected that you
actually sit in front of the given TTY when the autologin happens. 
With all TTYs though, anyone could switch to the other and "lol, now
I'm jbranso".  The only configuration, that could possibly be worse is
autologin root :P

(Granted, it probably still takes physical access to exploit, but it's
something your family/friends could likely do just to troll you.)

> I'll tell you what, why don't we leave this "bug" open for a
> week...I'll try to write
> the code that does what I want, and I'll email the answer.
> 
> Then I'll edit the manual to provide an example!
I'm pretty sure that the actual bug also exists, just not sure whether
that's on your config or on shepherd.  Using TTY1 for graphical stuff
is also somewhat rare in Guix land, I presume.  (Or rather, I can't
think of it as anything but a container for debug output spam :D)

As for getting this to work only on TTY1, you do get the config object,
so you can do stuff like 
  (if (is-tty1? config) (inherit+autologin config) config)  
Note of course, that is-tty1? is not a procedure that's ready-made, but
one that you'd need to build from primitives such as record accessors.

Regards,
Leo