Whonix Wiki Download Docs News Support Tips Issues Contribute DONATE

Change default shell from bash to zsh by default?

This one is 100% tested and functional.

/usr/lib/systemd/system.conf.d/30_kicksecure.conf

[Manager]
DefaultEnvironment=TESTVAR=1

/usr/lib/systemd/system.conf.d/30_kicksecure.conf

[Manager]
DefaultEnvironment=TESTVAR=1

DefaultEnvironment=ZTESTDIR=/etc/zsh/dist

DefaultEnvironment=ZDOTDIR=/etc/zsh/dist

DefaultEnvironment=ZDOTDIRWHAT=/etc/zsh/dist

All functional.

env  | grep ZDOTDIR

ZDOTDIRWHAT=/etc/zsh/dist
ZDOTDIR=/etc/zsh/dist

(We’ll of course not ship the other variables which are just there for testing. Production version will of course only have ZDOTDIR.)

No such issue. All good.

Last resort only. Reasons:

The systemd DefaultEnvironment approach seems much cleaner.

OK, will accept this method.

Will test then.

To which repo this should be added together with the dotfiles?

1 Like

Good question. Looking through Kicksecure · GitHub I was wondering in which package it fits best without needing to invent yet another package. GitHub - Kicksecure/desktop-config-dist seems best. Since it’s kinda a “desktop” modification. Not desktop as in graphical desktop but desktop/notebook user interface related settings.

Currently description is Configuration for Derivative Xfce Desktop but Xfce can be removed from the description to make it more general. Changes by that package seem useful, some even have security impact but still optional and not of very critical importance.

1 Like

IJust to remeber to myself this doesn’t work on Qubes, prefix should be /usr/local/lib

1 Like

Nevermind, I should have done this on the template…

1 Like
1 Like
W: desktop-config-dist: script-not-executable etc/zsh/dist/.aliasrc
N:
W: script-not-executable
N:
N:   This file starts with the #! sequence that marks interpreted scripts,
N:   but it is not executable.
N:   
N:   There has been some discussion to allow such files in paths other than
N:   /usr/bin but there was ultimately no broad support for it.
N:   
N:   Refer to Bug#368792 for details.
N:   
N:   Severity: warning
N:   
N:   Check: scripts
N:
W: desktop-config-dist: script-not-executable etc/zsh/dist/.shrc
W: desktop-config-dist: script-not-executable etc/zsh/dist/.zshrc

Lintian warnings generally break the build but that linitian warning is more of a false-positive than actual issue. Any objection to just make these scripts executable? Would the the easiest solution I can do now quickly. Otherwise setting lintian to ignore this is also possible.

Sorry, I forgot to build the deb to test that as I just manuall copied the files to path.

No objections on them becoming executables, I is just not need because they are sourced, but if lintian complains, whatever.

Also if you note /etc/zsh zsh system scripts are not executable, I think the reason is that it is not needed? Or not mean to be “executed” individually but “sourced” as a whole.

So with this in mind, what do you think? I make them executables or make the lintian not warn about that?

1 Like

Should be least privilege but this is theoretic in this case. Already resolved.

Something I didn’t consider yet. A Qubes specific imperfection related to unnecessary dependencies.

sudo apt install --no-install-recommends desktop-config-dist

Reading package lists… Done
Building dependency tree… Done
Reading state information… Done
The following packages were automatically installed and are no longer required:
libbotan-2-17 libtspi1
Use ‘sudo apt autoremove’ to remove them.
The following additional packages will be installed:
arc-theme gnome-colors-common gnome-icon-theme gnome-themes-extra gnome-themes-extra-data gtk2-engines-murrine gtk2-engines-pixbuf libgarcon-1-0 libgarcon-common librsvg2-common
libxfce4panel-2.0-4 xfce4-genmon-plugin xfce4-whiskermenu-plugin
Suggested packages:
murrine-themes mugshot
Recommended packages:
gnome-accessibility-themes
The following NEW packages will be installed:
arc-theme desktop-config-dist gnome-colors-common gnome-icon-theme gnome-themes-extra gnome-themes-extra-data gtk2-engines-murrine gtk2-engines-pixbuf libgarcon-1-0 libgarcon-common
librsvg2-common libxfce4panel-2.0-4 xfce4-genmon-plugin xfce4-whiskermenu-plugin
0 upgraded, 14 newly installed, 0 to remove and 0 not upgraded.
Need to get 11.7 MB/14.2 MB of archives.
After this operation, 43.9 MB of additional disk space will be used.
Do you want to continue? [Y/n]

To fix, I can probably split desktop-config-dist into the a settings files package (some files would be not required for Qubes) and a dependencies package (that only gets installed in Non-Qubes).

1 Like
1 Like

There’s one issue with the migration to zsh for existing users. New builds won’t have this issue. After the packages update, default shell is switched from bash to zsh, the ZDOTDIR environment variable won’t be set yet. When opening a terminal before rebooting, the following surprise (violates principle of least surprise), complicated and confusing message (for most users)

This is the Z Shell configuration function for new users,
zsh-newuser-install.
You are seeing this message because you have no zsh startup files
(the files .zshenv, .zprofile, .zshrc, .zlogin in the directory
~).  This function can help you with a few settings that should
make your use of the shell easier.

You can:

(q)  Quit and do nothing.  The function will be run again next time.

(0)  Exit, creating the file ~/.zshrc containing just a comment.
     That will prevent this function being run again.

(1)  Continue to the main menu.

(2)  Populate your ~/.zshrc with the configuration recommended
     by the system administrator and exit (you will need to edit
     the file by hand, if so desired).

--- Type one of the keys in parentheses ---

Users would certainly ask something like: Why does this happen? What should I configure?

Option A) Would creating an empty file /home/user/.zshrc be an acceptable solution?

if ! test -f  /home/user/.zshrc ; then
    sudo -u user touch /home/user/.zshrc || true
fi

Option B) Change default shell from bash to zsh only for new builds of Whonix but keep existing users on zsh for now? Then we could give users time to update, next time they update, they’ll already have ZDOTDIR environment variable and /etc/zsh/dist folder. Only users who don’t update for a for a long time would run into above issue.

Option A and B could in theory also be combined but not sure that’s good.

yes, but it won’t be read… because ZDOTDIR won’t be ~/ anymore, it is /etc/zsh/dist.

touch ~/.zshrc
Just touch the file without modification.

possibly forgot touch.

ZROOTDIR=/etc/zsh → Set by build
ZDOTDIR=/etc/zsh/dist → Set by us.

About option B, no opinion.

Yes, this would only hide the question and show the zsh standard configuration (without colors, command completion, exit codes and whatnot). It’s not a perfect solution. Just avoiding the worst usability issue.

Indeed. Edited my above post.

I don’t understand. But also mistake in my previous post. Should have written “ZDOTDIR”. Will edit. I didn’t want to suggest editing ZROOTDIR.
(Maybe that’s required. If yes, please mention. But form my side was just a typo for now.)

all good now. no issues.

1 Like