From 829ae3dd9a92c3f28fe4e940d28833f9fab5b954 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 29 Nov 2023 12:26:42 +0100
Subject: [PATCH] system: try not to taint the root shell

If someone strips root of the admin privilege don't try
to pry away the root shell as well.  None of this really
works well in practice.
---
 src/etc/inc/auth.inc | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc
index 758942051..e6f4e23dc 100644
--- a/src/etc/inc/auth.inc
+++ b/src/etc/inc/auth.inc
@@ -349,16 +349,10 @@ function local_user_set(&$user, $force_password = false, $userattrs = null)
         $user_group = 'wheel';
         $user_home = '/root';
     } else {
-        $user_shell = isset($user['shell']) ? $user['shell'] : '/usr/sbin/nologin';
+        $is_admin = userIsAdmin($user['name']);
+        $user_shell = $is_admin && isset($user['shell']) ? $user['shell'] : '/usr/sbin/nologin';
+        $user_group = $is_admin ? 'wheel' : 'nobody';
         $user_home = "/home/{$user_name}";
-        $user_group = 'nobody';
-    }
-
-    /* admins access gives wheely rights */
-    if (userIsAdmin($user['name'])) {
-        $user_group = 'wheel';
-    } else {
-        $user_shell = '/usr/sbin/nologin';
     }
 
     // XXX: primary group id can only be wheel or nobody, otherwise we should map the correct numbers for comparison