Skip to content

Add authctl user set-shell command #1165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
adombeck wants to merge 45 commits into
base: main
Choose a base branch
from
Open

Add authctl user set-shell command #1165

adombeck wants to merge 45 commits into from

Conversation

@adombeck
Copy link
Contributor

@adombeck adombeck commented Dec 15, 2025
edited
Loading

Important

This is based on #1087, please review and merge that first.

Allow users to change their shell.

Closes #939

@adombeck
refactor: Split cmd/authctl/user/user_test.go
5c07429
@adombeck
Fix comment
a8ff7d8 
There's nothing encrypted in this string.
@adombeck
Add gRPC method SetUserID
990d297
@adombeck
Add authctl user set-uid command
e573417
@adombeck
Return a gRPC error with code PermissionDenied
c26b335 
... instead of prefixing the error message with "permission denied"
@adombeck
debian/authd.service.in: Grant capability CAP_DAC_READ_SEARCH
c296011 
Required to change the ownership of the user's home directory when
changing the user's UID.
@adombeck
fileutils: Add ChownRecursiveFrom
376e2b8 
We use this to recursively change the owner and group of the user's home
directory when changing the user's UID.
@adombeck
testutils: Add RunTestAsRoot
3fc4425 
Needed to test fileutils.ChownRecursiveFrom. We can't use bubblewrap for
that because bubblewrap only creates UID mapping for one user, using
chown with a different UID fails with:

    chown: changing ownership of 'file': Invalid argument
@adombeck
Add TestChownRecursiveFrom
5d8b19f
@adombeck
Automatically change owner of home directory when changing UID
1f5c12e 
Do the same usermod does when changing a UID of a user: If the home
directory is currently owned by the user, recursively change the owner
and group of the home directory and all files in the home directory from
the old UID and GID to the new UID and GID.
@adombeck
Add TestSetUIDCommand
d9a7e90
@adombeck
Add db_test.TestSetUserID
a6c06b9
@adombeck
Support creating users/groups in bubblewrap
aaa84d5 
We need that for the SetUserID tests
@adombeck
tests: Support chown in bubblewrap
4d9e28b
@adombeck
tests: Run TestChownRecursiveFrom in bubblewrap
6f1c085 
We now support chown in bubblewrap, so we don't have to run the test as
root anymore.
@adombeck
refactor: Remove unused parameter from runInBubbleWrap
8c10210
@adombeck
testutils/bubblewrap: Support updating golden files
65d5d5c
@adombeck
testutils: Skip cleanup when in bubblewrap
68ec444
@adombeck
bubblewrap: Mount a tmpfs to /tmp in the sandbox
0162208 
We have a use case where we want to create a directory at a
deterministic path in /tmp. That fails if /tmp is shared with the host
and other bubblewrap sandboxes which use the same directory.
@adombeck
Add users_test.TestSetUserID
f191adb
@adombeck
Add SetGroupID
8d3557e
@adombeck
Add db_test.TestSetGroupID
2e05554
@adombeck
Add users_test.TestSetGroupID
baa7d2c
@adombeck
Add authctl group command
034d4a2
@adombeck
Add authctl group set-gid command
39d4bf0
@adombeck
Add TestSetGIDCommand
cea9c97
@adombeck
pam/integration-tests: Don't print authctl usage message in VHS tape
d80f1ca 
It doesn't test anything that's not already covered by other tests and
it's annoying to have to manually update the golden files of the SSH
integration tests whenever the authctl usage message changes.
@adombeck
authctl: Add long description for set-uid command
3006728
@adombeck
authctl: Add long description for set-gid command
642b39d
@adombeck
Take lock in SetUserID/SetGroupID
da2eaa3 
userslocking.WriteLock() immediately returns ErrLock if the lock is
already taken *by the current process*. lckpwdf behaves similarly (even
though the man page doesn't mention it).

To avoid that issue, we now take another lock which blocks concurrent
goroutines.
@adombeck
tests: Don't skip bubblewrap tests in CI
0f2c907 
We broke the bubblewrap tests in the CI without noticing it (at first)
because the tests were skipped. The only case where we really want to
skip the tests is on Launchpad builders. To detect that, we check if the
DEB_BUILD_ARCH environment variable is set and we're *not* in GitHub CI.
@adombeck
Try enabling unprivileged user namespaces in CI
4e30d12
@adombeck
tests: Avoid unshare hanging forever in some environments
9769a3a 
When executing `unshare --map-user` via exec.Command and connecting the
process's stdout or stderr, the command hangs forever if unprivileged
user namespaces are disabled.

We avoid that by checking via `unshare --user` if unprivileged user
namespaces are enabled.
@adombeck
tests: Make chown work with bubblewrap executed via sudo
5b2a784
@adombeck
tests: Skip bubblewrap tests in autopkgtest
515780e 
The "Run autopkgtests" CI job runs the tests in an LXD container which
doesn't allow using bubblewrap. It fails with:

    bwrap: Failed to make / slave: Permission denied

To avoid that these jobs fail, we allow them to skip the bubblewrap
tests. We still run the tests in the "Go Tests" CI jobs.
@adombeck
ci: Group log lines of llvm-symbolizer installation
df3ef07
@adombeck
autopkgtest: Run go tests without -v
57290e0 
Running our tests with -v produces so much output that it makes it
harder to inspect test failures, for example when viewing the logs of
the "Run autopkgtests" CI job in GitHub.

Running the tests without -v still prints the logs of the failed tests
which should include all the information we need to debug test failures.
@codecov-commenter
Copy link

codecov-commenter commented Dec 17, 2025

Codecov Report

❌ Patch coverage is 63.65462% with 181 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.08%. Comparing base (6ff09d2) to head (dfb2353).

Files with missing lines Patch % Lines
internal/users/proc/proc.go 60.41% 38 Missing ⚠️
cmd/authctl/internal/completion/completion.go 0.00% 29 Missing ⚠️
internal/users/db/update.go 70.96% 27 Missing ⚠️
cmd/authctl/user/set-uid.go 0.00% 19 Missing ⚠️
cmd/authctl/group/set-gid.go 0.00% 16 Missing ⚠️
cmd/authctl/user/set-shell.go 0.00% 14 Missing ⚠️
internal/services/user/user.go 70.58% 10 Missing ⚠️
internal/services/permissions/permissions.go 66.66% 7 Missing ⚠️
internal/testlog/testlog.go 61.11% 7 Missing ⚠️
internal/users/manager.go 95.00% 6 Missing ⚠️
... and 4 more
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1165      +/-   ##
==========================================
- Coverage   87.64%   86.08%   -1.56%     
==========================================
  Files          90       97       +7     
  Lines        6222     6682     +460     
  Branches      111      111              
==========================================
+ Hits         5453     5752     +299     
- Misses        713      874     +161     
  Partials       56       56

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@adombeck adombeck marked this pull request as ready for review December 17, 2025 12:29
@adombeck adombeck requested a review from a team as a code owner December 17, 2025 12:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support changing the user's shell via authctl

3 participants

@adombeck @codecov-commenter