apply executable checks to $SHELL and /etc/passwd lookup

refs: https://github.com/wez/wezterm/issues/2378

pty/src/cmdbuilder.rs

@@ -449,22 +449,37 @@ impl CommandBuilder {
     /// We take the contents of the $SHELL env var first, then
     /// fall back to looking it up from the password database.
     pub fn get_shell(&self) -> anyhow::Result<String> {
+        use nix::unistd::{access, AccessFlags};
+        use std::ffi::CStr;
+        use std::path::Path;
+        use std::str;
+
         if let Some(shell) = self.get_env("SHELL").and_then(OsStr::to_str) {
-            return Ok(shell.into());
+            match access(shell, AccessFlags::X_OK) {
+                Ok(()) => return Ok(shell.into()),
+                Err(err) => log::warn!(
+                    "$SHELL -> {shell:?} which is \
+                     not executable ({err:#}), falling back to password db lookup"
+                ),
+            }
         }
 
         let ent = unsafe { libc::getpwuid(libc::getuid()) };
-        if ent.is_null() {
-            Ok("/bin/sh".into())
-        } else {
-            use std::ffi::CStr;
-            use std::str;
+        if !ent.is_null() {
             let shell = unsafe { CStr::from_ptr((*ent).pw_shell) };
-            shell
+            let shell = shell
                 .to_str()
                 .map(str::to_owned)
-                .context("failed to resolve shell")
+                .context("failed to resolve shell from passwd database")?;
+
+            if let Err(err) = access(Path::new(&shell), AccessFlags::X_OK) {
+                log::warn!(
+                    "passwd database shell={shell:?} which is \
+                     not executable ({err:#}), fallback to /bin/sh"
+                );
+            }
         }
+        Ok("/bin/sh".into())
     }
 
     fn get_home_dir(&self) -> anyhow::Result<String> {