Package: coreutils;
Reported by: 積丹尼 Dan Jacobson <jidanni <at> jidanni.org>
Date: Fri, 20 Nov 2020 21:19:02 UTC
Severity: normal
Done: Paul Eggert <eggert <at> cs.ucla.edu>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 44770 in the body.
You can then email your comments to 44770 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
bug-coreutils <at> gnu.org:bug#44770; Package coreutils.
(Fri, 20 Nov 2020 21:19:02 GMT) Full text and rfc822 format available.積丹尼 Dan Jacobson <jidanni <at> jidanni.org>:bug-coreutils <at> gnu.org.
(Fri, 20 Nov 2020 21:19:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: 積丹尼 Dan Jacobson <jidanni <at> jidanni.org> To: bug-coreutils <at> gnu.org Subject: chown: warn about the dot when encountering it Date: Sat, 21 Nov 2020 05:17:49 +0800
Maybe print warning messages when encountering the dot, (info "(coreutils) chown invocation") Else Grandpa won't ever know, https://github.com/scop/bash-completion/issues/468 until one day when it's too late... (And his program starts messing things up on some other system.)
積丹尼 Dan Jacobson <jidanni <at> jidanni.org>
to control <at> debbugs.gnu.org.
(Fri, 20 Nov 2020 21:27:02 GMT) Full text and rfc822 format available.bug-coreutils <at> gnu.org:bug#44770; Package coreutils.
(Sun, 20 Jun 2021 14:20:02 GMT) Full text and rfc822 format available.Message #10 received at 44770 <at> debbugs.gnu.org (full text, mbox):
From: Brice Waegeneire <brice <at> waegenei.re> To: 44770 <at> debbugs.gnu.org Subject: [PATCH v2 0/2] services: setuid: More configurable setuid support. Date: Sun, 20 Jun 2021 16:19:31 +0200
Hello Christopher, Some times ago I continued your patch from where you left it. If I recall correctly it should address all the suggestions from Ludo' and Maxim. I'm using it for several month now without any issue. Thank your for your work on this issue Christopher! Cheers, - Brice Brice Waegeneire (1): services: Migrate to <setuid-program>. Christopher Lemmer Webber (1): services: setuid: More configurable setuid support. gnu/build/activation.scm | 38 ++++++++++++++++++++------- gnu/services.scm | 45 ++++++++++++++++++++++++++++--- gnu/services/dbus.scm | 13 ++++++--- gnu/services/desktop.scm | 26 +++++++++++------- gnu/services/docker.scm | 9 ++++--- gnu/services/xorg.scm | 4 ++- gnu/system.scm | 45 +++++++++++++++++-------------- gnu/system/setuid.scm | 57 ++++++++++++++++++++++++++++++++++++++++ 8 files changed, 186 insertions(+), 51 deletions(-) create mode 100644 gnu/system/setuid.scm -- 2.31.1
bug-coreutils <at> gnu.org:bug#44770; Package coreutils.
(Sun, 20 Jun 2021 14:20:02 GMT) Full text and rfc822 format available.Message #13 received at 44770 <at> debbugs.gnu.org (full text, mbox):
From: Brice Waegeneire <brice <at> waegenei.re> To: 44770 <at> debbugs.gnu.org Cc: Brice Waegeneire <brice <at> waegenei.re> Subject: [PATCH v2 1/2] services: setuid: More configurable setuid support. Date: Sun, 20 Jun 2021 16:19:32 +0200
From: Christopher Lemmer Webber <cwebber <at> dustycloud.org>
New record <setuid-program> with fields for setting the specific user
and group, as well as specifically selecting the setuid and setgid bits,
for a program within the setuid-program-service.
* gnu/services.scm (setuid-program-file-like-deprecated): New function.
(setuid-program-service-type): Make use of
setuid-program->activation-gexp. Adjust the extend property to handle
<setuid-program>.
* gnu/build/activation.scm (activate-setuid-programs): Update to expect a
<setuid-record> list for each program entry.
* gnu/system.scm: (operating-system-setuid-programs): Renamed to
%operating-system-setuid-programs and replace it with new procedure.
(operating-system-default-essential-services,
hurd-default-essential-services): Replace
operating-system-setuid-programs with %operating-system-setuid-programs.
* gnu/system/setuid.scm: New file.
Co-authored-by: Brice Waegeneire <brice <at> waegenei.re>
---
gnu/build/activation.scm | 38 ++++++++++++++++++++-------
gnu/services.scm | 45 ++++++++++++++++++++++++++++---
gnu/system.scm | 14 +++++++---
gnu/system/setuid.scm | 57 ++++++++++++++++++++++++++++++++++++++++
4 files changed, 136 insertions(+), 18 deletions(-)
create mode 100644 gnu/system/setuid.scm
diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm
index 2af1d44b5f..ab9255d095 100644
--- a/gnu/build/activation.scm
+++ b/gnu/build/activation.scm
@@ -6,6 +6,8 @@
;;; Copyright © 2018 Arun Isaac <arunisaac <at> systemreboot.net>
;;; Copyright © 2018, 2019 Ricardo Wurmus <rekado <at> elephly.net>
;;; Copyright © 2021 Maxime Devos <maximedevos <at> telenet.be>
+;;; Copyright © 2020 Christopher Lemmer Webber <cwebber <at> dustycloud.org>
+;;; Copyright © 2021 Brice Waegeneire <brice <at> waegenei.re>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -24,6 +26,7 @@
(define-module (gnu build activation)
#:use-module (gnu system accounts)
+ #:use-module (gnu system setuid)
#:use-module (gnu build accounts)
#:use-module (gnu build linux-boot)
#:use-module (guix build utils)
@@ -279,14 +282,17 @@ they already exist."
"/run/setuid-programs")
(define (activate-setuid-programs programs)
- "Turn PROGRAMS, a list of file names, into setuid programs stored under
-%SETUID-DIRECTORY."
- (define (make-setuid-program prog)
+ "Turn PROGRAMS, a list of file setuid-programs record, into setuid programs
+stored under %SETUID-DIRECTORY."
+ (define (make-setuid-program program setuid? setgid? uid gid)
(let ((target (string-append %setuid-directory
- "/" (basename prog))))
- (copy-file prog target)
- (chown target 0 0)
- (chmod target #o4555)))
+ "/" (basename program)))
+ (mode (+ #o0555 ; base permissions
+ (if setuid? #o4000 0) ; setuid bit
+ (if setgid? #o2000 0)))) ; setgid bit
+ (copy-file program target)
+ (chown target uid gid)
+ (chmod target mode)))
(format #t "setting up setuid programs in '~a'...~%"
%setuid-directory)
@@ -302,15 +308,27 @@ they already exist."
(for-each (lambda (program)
(catch 'system-error
(lambda ()
- (make-setuid-program program))
+ (let* ((program-name (setuid-program-program program))
+ (setuid? (setuid-program-setuid? program))
+ (setgid? (setuid-program-setgid? program))
+ (user (setuid-program-user program))
+ (group (setuid-program-group program))
+ (uid (match user
+ ((? string?) (passwd:uid (getpwnam user)))
+ ((? integer?) user)))
+ (gid (match group
+ ((? string?) (group:gid (getgrnam group)))
+ ((? integer?) group))))
+ (make-setuid-program program-name setuid? setgid? uid gid)))
(lambda args
;; If we fail to create a setuid program, better keep going
;; so that we don't leave %SETUID-DIRECTORY empty or
;; half-populated. This can happen if PROGRAMS contains
;; incorrect file names: <https://bugs.gnu.org/38800>.
(format (current-error-port)
- "warning: failed to make '~a' setuid-root: ~a~%"
- program (strerror (system-error-errno args))))))
+ "warning: failed to make ~s setuid/setgid: ~a~%"
+ (setuid-program-program program)
+ (strerror (system-error-errno args))))))
programs))
(define (activate-special-files special-files)
diff --git a/gnu/services.scm b/gnu/services.scm
index 8d413e198e..2f5f67b3a1 100644
--- a/gnu/services.scm
+++ b/gnu/services.scm
@@ -4,6 +4,8 @@
;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke <at> gnu.org>
;;; Copyright © 2020, 2021 Ricardo Wurmus <rekado <at> elephly.net>
;;; Copyright © 2021 raid5atemyhomework <raid5atemyhomework <at> protonmail.com>
+;;; Copyright © 2020 Christopher Lemmer Webber <cwebber <at> dustycloud.org>
+;;; Copyright © 2020, 2021 Brice Waegeneire <brice <at> waegenei.re>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -40,6 +42,7 @@
#:use-module (gnu packages base)
#:use-module (gnu packages bash)
#:use-module (gnu packages hurd)
+ #:use-module (gnu system setuid)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-9)
#:use-module (srfi srfi-9 gnu)
@@ -801,15 +804,49 @@ directory."
FILES must be a list of name/file-like object pairs."
(service etc-service-type files))
+(define (setuid-program->activation-gexp programs)
+ "Return an activation gexp for setuid-program from PROGRAMS."
+ (let ((programs (map (lambda (program)
+ ;; FIXME This is really ugly, I didn't managed to use
+ ;; "inherit"
+ (let ((program-name (setuid-program-program program))
+ (setuid? (setuid-program-setuid? program))
+ (setgid? (setuid-program-setgid? program))
+ (user (setuid-program-user program))
+ (group (setuid-program-group program)) )
+ #~(setuid-program
+ (setuid? #$setuid?)
+ (setgid? #$setgid?)
+ (user #$user)
+ (group #$group)
+ (program #$program-name))))
+ programs)))
+ (with-imported-modules (source-module-closure
+ '((gnu system setuid)))
+ #~(begin
+ (use-modules (gnu system setuid))
+
+ (activate-setuid-programs (list #$@programs))))))
+
+(define (setuid-program-file-like-deprecated file-like)
+ (match file-like
+ ((? file-like? program)
+ (warning
+ (G_ "representing setuid programs with '~a' is \
+deprecated; use 'setuid-program' instead~%") program)
+ (setuid-program (program program)))
+ ((? setuid-program? program)
+ program)))
+
(define setuid-program-service-type
(service-type (name 'setuid-program)
(extensions
(list (service-extension activation-service-type
- (lambda (programs)
- #~(activate-setuid-programs
- (list #$@programs))))))
+ setuid-program->activation-gexp)))
(compose concatenate)
- (extend append)
+ (extend (lambda (config extensions)
+ (map setuid-program-file-like-deprecated
+ (append config extensions))))
(description
"Populate @file{/run/setuid-programs} with the specified
executables, making them setuid-root.")))
diff --git a/gnu/system.scm b/gnu/system.scm
index 8a3ae27d04..96b45ede96 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -7,7 +7,7 @@
;;; Copyright © 2019 Meiyo Peng <meiyo.peng <at> gmail.com>
;;; Copyright © 2019, 2020 Miguel Ángel Arruga Vivas <rosen644835 <at> gmail.com>
;;; Copyright © 2020 Danny Milosavljevic <dannym <at> scratchpost.org>
-;;; Copyright © 2020 Brice Waegeneire <brice <at> waegenei.re>
+;;; Copyright © 2020, 2021 Brice Waegeneire <brice <at> waegenei.re>
;;; Copyright © 2020 Florian Pelz <pelzflorian <at> pelzflorian.de>
;;; Copyright © 2020 Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <jannek <at> gnu.org>
@@ -74,6 +74,7 @@
#:use-module (gnu system locale)
#:use-module (gnu system pam)
#:use-module (gnu system linux-initrd)
+ #:use-module (gnu system setuid)
#:use-module (gnu system uuid)
#:use-module (gnu system file-systems)
#:use-module (gnu system mapped-devices)
@@ -267,7 +268,7 @@
(pam-services operating-system-pam-services ; list of PAM services
(default (base-pam-services)))
- (setuid-programs operating-system-setuid-programs
+ (setuid-programs %operating-system-setuid-programs
(default %setuid-programs)) ; list of string-valued gexps
(sudoers-file operating-system-sudoers-file ; file-like
@@ -671,7 +672,7 @@ bookkeeping."
(operating-system-environment-variables os))
host-name procs root-fs
(service setuid-program-service-type
- (operating-system-setuid-programs os))
+ (%operating-system-setuid-programs os))
(service profile-service-type
(operating-system-packages os))
other-fs
@@ -701,7 +702,7 @@ bookkeeping."
(pam-root-service (operating-system-pam-services os))
(operating-system-etc-service os)
(service setuid-program-service-type
- (operating-system-setuid-programs os))
+ (%operating-system-setuid-programs os))
(service profile-service-type (operating-system-packages os)))))
(define* (operating-system-services os)
@@ -1065,6 +1066,11 @@ use 'plain-file' instead~%")
;; TODO: Remove when glibc <at> 2.23 is long gone.
("GUIX_LOCPATH" . "/run/current-system/locale")))
+(define (operating-system-setuid-programs os)
+ "Return the setuid programs for OS, as a list of setuid-program record."
+ (map file-like->setuid-program
+ (%operating-system-setuid-programs os)))
+
(define %setuid-programs
;; Default set of setuid-root programs.
(let ((shadow (@ (gnu packages admin) shadow)))
diff --git a/gnu/system/setuid.scm b/gnu/system/setuid.scm
new file mode 100644
index 0000000000..e8b9c0df81
--- /dev/null
+++ b/gnu/system/setuid.scm
@@ -0,0 +1,57 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2021 Brice Waegeneire <brice <at> waegenei.re>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu system setuid)
+ #:use-module (guix records)
+ #:export (setuid-program
+ setuid-program?
+ setuid-program-program
+ setuid-program-setuid?
+ setuid-program-setgid?
+ setuid-program-user
+ setuid-program-group
+
+ file-like->setuid-program))
+
+;;; Commentary:
+;;;
+;;; Data structures representing setuid/setgid programs. This is meant to be
+;;; used both on the host side and at run time--e.g., in activation snippets.
+;;;
+;;; Code:
+
+(define-record-type* <setuid-program>
+ setuid-program make-setuid-program
+ setuid-program?
+ ;; Path to program to link with setuid permissions
+ (program setuid-program-program) ;file-like
+ ;; Whether to set user setuid bit
+ (setuid? setuid-program-setuid? ;boolean
+ (default #t))
+ ;; Whether to set user setgid bit
+ (setgid? setuid-program-setgid? ;boolean
+ (default #f))
+ ;; The user this should be set to (defaults to root)
+ (user setuid-program-user ;integer or string
+ (default 0))
+ ;; Group we want to set this to (defaults to root)
+ (group setuid-program-group ;integer or string
+ (default 0)))
+
+(define (file-like->setuid-program program)
+ (setuid-program (program program)))
--
2.31.1
bug-coreutils <at> gnu.org:bug#44770; Package coreutils.
(Sun, 20 Jun 2021 14:20:03 GMT) Full text and rfc822 format available.Message #16 received at 44770 <at> debbugs.gnu.org (full text, mbox):
From: Brice Waegeneire <brice <at> waegenei.re> To: 44770 <at> debbugs.gnu.org Subject: [PATCH v2 2/2] services: Migrate to <setuid-program>. Date: Sun, 20 Jun 2021 16:19:33 +0200
* gnu/services/dbus.scm (dbus-setuid-programs, polkit-setuid-programs):
Return setuid-programs.
* gnu/services/desktop.scm (enlightenment-setuid-programs): Return
setuid-programs.
(%desktop-services)[mount-setuid-helpers]: Use setuid-programs.
* gnu/services/docker.scm (singularity-setuid-programs): Return
setuid-programs.
* gnu/services/xorg.scm(screen-locker-setuid-programs): Return
setuid-programs.
* gnu/system.scm (%setuid-programs): Return setuid-programs.
---
gnu/services/dbus.scm | 13 +++++++++----
gnu/services/desktop.scm | 26 ++++++++++++++++----------
gnu/services/docker.scm | 9 ++++++---
gnu/services/xorg.scm | 4 +++-
gnu/system.scm | 31 ++++++++++++++++---------------
5 files changed, 50 insertions(+), 33 deletions(-)
diff --git a/gnu/services/dbus.scm b/gnu/services/dbus.scm
index af1a1e4c3a..e7b3dac166 100644
--- a/gnu/services/dbus.scm
+++ b/gnu/services/dbus.scm
@@ -2,6 +2,7 @@
;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2019, 2020 Ludovic Courtès <ludo <at> gnu.org>
;;; Copyright © 2015 Sou Bunnbu <iyzsong <at> gmail.com>
;;; Copyright © 2021 Maxime Devos <maximedevos <at> telenet.be>
+;;; Copyright © 2021 Brice Waegeneire <brice <at> waegenei.re>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -21,6 +22,7 @@
(define-module (gnu services dbus)
#:use-module (gnu services)
#:use-module (gnu services shepherd)
+ #:use-module (gnu system setuid)
#:use-module (gnu system shadow)
#:use-module (gnu system pam)
#:use-module ((gnu packages glib) #:select (dbus))
@@ -156,10 +158,12 @@ includes the @code{etc/dbus-1/system.d} directories of each package listed in
(shell (file-append shadow "/sbin/nologin")))))
(define dbus-setuid-programs
- ;; Return the file name of the setuid program that we need.
+ ;; Return a list of <setuid-program> for the program that we need.
(match-lambda
(($ <dbus-configuration> dbus services)
- (list (file-append dbus "/libexec/dbus-daemon-launch-helper")))))
+ (list (setuid-program
+ (program (file-append
+ dbus "/libexec/dbus-daemon-launch-helper")))))))
(define (dbus-activation config)
"Return an activation gexp for D-Bus using @var{config}."
@@ -335,8 +339,9 @@ tuples, are all set as environment variables when the bus daemon launches it."
(define polkit-setuid-programs
(match-lambda
(($ <polkit-configuration> polkit)
- (list (file-append polkit "/lib/polkit-1/polkit-agent-helper-1")
- (file-append polkit "/bin/pkexec")))))
+ (map file-like->setuid-program
+ (list (file-append polkit "/lib/polkit-1/polkit-agent-helper-1")
+ (file-append polkit "/bin/pkexec"))))))
(define polkit-service-type
(service-type (name 'polkit)
diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
index cd800fcc2b..6297b8eb0b 100644
--- a/gnu/services/desktop.scm
+++ b/gnu/services/desktop.scm
@@ -12,6 +12,7 @@
;;; Copyright © 2019 David Wilson <david <at> daviwil.com>
;;; Copyright © 2020 Tobias Geerinckx-Rice <me <at> tobias.gr>
;;; Copyright © 2020 Reza Alizadeh Majd <r.majd <at> pantherx.org>
+;; Copyright © 2021 Brice Waegeneire <brice <at> waegenei.re>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -40,6 +41,7 @@
#:use-module ((gnu system file-systems)
#:select (%elogind-file-systems file-system))
#:use-module (gnu system)
+ #:use-module (gnu system setuid)
#:use-module (gnu system shadow)
#:use-module (gnu system pam)
#:use-module (gnu packages glib)
@@ -1034,14 +1036,15 @@ rules."
(define (enlightenment-setuid-programs enlightenment-desktop-configuration)
(match-record enlightenment-desktop-configuration
- <enlightenment-desktop-configuration>
- (enlightenment)
- (list (file-append enlightenment
- "/lib/enlightenment/utils/enlightenment_sys")
- (file-append enlightenment
- "/lib/enlightenment/utils/enlightenment_system")
- (file-append enlightenment
- "/lib/enlightenment/utils/enlightenment_ckpasswd"))))
+ <enlightenment-desktop-configuration>
+ (enlightenment)
+ (map file-like->setuid-program
+ (list (file-append enlightenment
+ "/lib/enlightenment/utils/enlightenment_sys")
+ (file-append enlightenment
+ "/lib/enlightenment/utils/enlightenment_system")
+ (file-append enlightenment
+ "/lib/enlightenment/utils/enlightenment_ckpasswd")))))
(define enlightenment-desktop-service-type
(service-type
@@ -1204,8 +1207,11 @@ or setting its password with passwd.")))
;; Allow desktop users to also mount NTFS and NFS file systems
;; without root.
(simple-service 'mount-setuid-helpers setuid-program-service-type
- (list (file-append nfs-utils "/sbin/mount.nfs")
- (file-append ntfs-3g "/sbin/mount.ntfs-3g")))
+ (map (lambda (program)
+ (setuid-program
+ (program program)))
+ (list (file-append nfs-utils "/sbin/mount.nfs")
+ (file-append ntfs-3g "/sbin/mount.ntfs-3g"))))
;; The global fontconfig cache directory can sometimes contain
;; stale entries, possibly referencing fonts that have been GC'd,
diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm
index be85316180..ef551480aa 100644
--- a/gnu/services/docker.scm
+++ b/gnu/services/docker.scm
@@ -4,6 +4,7 @@
;;; Copyright © 2020, 2021 Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
;;; Copyright © 2020 Efraim Flashner <efraim <at> flashner.co.il>
;;; Copyright © 2020 Jesse Dowell <jessedowell <at> gmail.com>
+;;; Copyright © 2021 Brice Waegeneire <brice <at> waegenei.re>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -26,6 +27,7 @@
#:use-module (gnu services base)
#:use-module (gnu services dbus)
#:use-module (gnu services shepherd)
+ #:use-module (gnu system setuid)
#:use-module (gnu system shadow)
#:use-module (gnu packages docker)
#:use-module (gnu packages linux) ;singularity
@@ -195,9 +197,10 @@ bundles in Docker containers.")
"-helper")))
'("action" "mount" "start")))))
- (list (file-append helpers "/singularity-action-helper")
- (file-append helpers "/singularity-mount-helper")
- (file-append helpers "/singularity-start-helper")))
+ (map file-like->setuid-program
+ (list (file-append helpers "/singularity-action-helper")
+ (file-append helpers "/singularity-mount-helper")
+ (file-append helpers "/singularity-start-helper"))))
(define singularity-service-type
(service-type (name 'singularity)
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index 8ffea3b9dd..d95f8beb7a 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -8,6 +8,7 @@
;;; Copyright © 2020 shtwzrd <shtwzrd <at> protonmail.com>
;;; Copyright © 2020 Jakub Kądziołka <kuba <at> kadziolka.net>
;;; Copyright © 2020 Alex Griffin <a <at> ajgrf.com>
+;;; Copyright © 2021 Brice Waegeneire <brice <at> waegenei.re>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -29,6 +30,7 @@
#:use-module (gnu services)
#:use-module (gnu services shepherd)
#:use-module (gnu system pam)
+ #:use-module (gnu system setuid)
#:use-module (gnu system keyboard)
#:use-module (gnu services base)
#:use-module (gnu services dbus)
@@ -681,7 +683,7 @@ reboot_cmd " shepherd "/sbin/reboot\n"
#:allow-empty-passwords? empty?)))))
(define screen-locker-setuid-programs
- (compose list screen-locker-program))
+ (compose list file-like->setuid-program screen-locker-program))
(define screen-locker-service-type
(service-type (name 'screen-locker)
diff --git a/gnu/system.scm b/gnu/system.scm
index 96b45ede96..8a70f86457 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -1074,22 +1074,23 @@ use 'plain-file' instead~%")
(define %setuid-programs
;; Default set of setuid-root programs.
(let ((shadow (@ (gnu packages admin) shadow)))
- (list (file-append shadow "/bin/passwd")
- (file-append shadow "/bin/sg")
- (file-append shadow "/bin/su")
- (file-append shadow "/bin/newgrp")
- (file-append shadow "/bin/newuidmap")
- (file-append shadow "/bin/newgidmap")
- (file-append inetutils "/bin/ping")
- (file-append inetutils "/bin/ping6")
- (file-append sudo "/bin/sudo")
- (file-append sudo "/bin/sudoedit")
- (file-append fuse "/bin/fusermount")
+ (map file-like->setuid-program
+ (list (file-append shadow "/bin/passwd")
+ (file-append shadow "/bin/sg")
+ (file-append shadow "/bin/su")
+ (file-append shadow "/bin/newgrp")
+ (file-append shadow "/bin/newuidmap")
+ (file-append shadow "/bin/newgidmap")
+ (file-append inetutils "/bin/ping")
+ (file-append inetutils "/bin/ping6")
+ (file-append sudo "/bin/sudo")
+ (file-append sudo "/bin/sudoedit")
+ (file-append fuse "/bin/fusermount")
- ;; To allow mounts with the "user" option, "mount" and "umount" must
- ;; be setuid-root.
- (file-append util-linux "/bin/mount")
- (file-append util-linux "/bin/umount"))))
+ ;; To allow mounts with the "user" option, "mount" and "umount" must
+ ;; be setuid-root.
+ (file-append util-linux "/bin/mount")
+ (file-append util-linux "/bin/umount")))))
(define %sudoers-specification
;; Default /etc/sudoers contents: 'root' and all members of the 'wheel'
--
2.31.1
bug-coreutils <at> gnu.org:bug#44770; Package coreutils.
(Sat, 03 Jul 2021 16:23:02 GMT) Full text and rfc822 format available.Message #19 received at 44770 <at> debbugs.gnu.org (full text, mbox):
From: Brice Waegeneire <brice <at> waegenei.re> To: 44770 <at> debbugs.gnu.org Cc: cwebber <at> dustycloud.org Subject: [PATCH v2 0/2] services: setuid: More configurable setuid support. Date: Sat, 3 Jul 2021 18:22:41 +0200
Hello Christopher, Some times ago I continued your patch from where you left it. If I recall correctly it should address all the suggestions from Ludo' and Maxim. I'm using it for several month now without any issue. Thank your for your work on this issue Christopher! Cheers, - Brice Brice Waegeneire (1): services: Migrate to <setuid-program>. Christopher Lemmer Webber (1): services: setuid: More configurable setuid support. gnu/build/activation.scm | 38 ++++++++++++++++++++------- gnu/services.scm | 45 ++++++++++++++++++++++++++++--- gnu/services/dbus.scm | 13 ++++++--- gnu/services/desktop.scm | 26 +++++++++++------- gnu/services/docker.scm | 9 ++++--- gnu/services/xorg.scm | 4 ++- gnu/system.scm | 45 +++++++++++++++++-------------- gnu/system/setuid.scm | 57 ++++++++++++++++++++++++++++++++++++++++ 8 files changed, 186 insertions(+), 51 deletions(-) create mode 100644 gnu/system/setuid.scm -- 2.31.1
bug-coreutils <at> gnu.org:bug#44770; Package coreutils.
(Sat, 03 Jul 2021 16:24:01 GMT) Full text and rfc822 format available.Message #22 received at 44770 <at> debbugs.gnu.org (full text, mbox):
From: Brice Waegeneire <brice <at> waegenei.re> To: 44770 <at> debbugs.gnu.org Cc: cwebber <at> dustycloud.org Subject: [PATCH v2 2/2] services: Migrate to <setuid-program>. Date: Sat, 3 Jul 2021 18:22:43 +0200
* gnu/services/dbus.scm (dbus-setuid-programs, polkit-setuid-programs):
Return setuid-programs.
* gnu/services/desktop.scm (enlightenment-setuid-programs): Return
setuid-programs.
(%desktop-services)[mount-setuid-helpers]: Use setuid-programs.
* gnu/services/docker.scm (singularity-setuid-programs): Return
setuid-programs.
* gnu/services/xorg.scm(screen-locker-setuid-programs): Return
setuid-programs.
* gnu/system.scm (%setuid-programs): Return setuid-programs.
---
gnu/services/dbus.scm | 13 +++++++++----
gnu/services/desktop.scm | 26 ++++++++++++++++----------
gnu/services/docker.scm | 9 ++++++---
gnu/services/xorg.scm | 4 +++-
gnu/system.scm | 31 ++++++++++++++++---------------
5 files changed, 50 insertions(+), 33 deletions(-)
diff --git a/gnu/services/dbus.scm b/gnu/services/dbus.scm
index af1a1e4c3a..e7b3dac166 100644
--- a/gnu/services/dbus.scm
+++ b/gnu/services/dbus.scm
@@ -2,6 +2,7 @@
;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2019, 2020 Ludovic Courtès <ludo <at> gnu.org>
;;; Copyright © 2015 Sou Bunnbu <iyzsong <at> gmail.com>
;;; Copyright © 2021 Maxime Devos <maximedevos <at> telenet.be>
+;;; Copyright © 2021 Brice Waegeneire <brice <at> waegenei.re>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -21,6 +22,7 @@
(define-module (gnu services dbus)
#:use-module (gnu services)
#:use-module (gnu services shepherd)
+ #:use-module (gnu system setuid)
#:use-module (gnu system shadow)
#:use-module (gnu system pam)
#:use-module ((gnu packages glib) #:select (dbus))
@@ -156,10 +158,12 @@ includes the @code{etc/dbus-1/system.d} directories of each package listed in
(shell (file-append shadow "/sbin/nologin")))))
(define dbus-setuid-programs
- ;; Return the file name of the setuid program that we need.
+ ;; Return a list of <setuid-program> for the program that we need.
(match-lambda
(($ <dbus-configuration> dbus services)
- (list (file-append dbus "/libexec/dbus-daemon-launch-helper")))))
+ (list (setuid-program
+ (program (file-append
+ dbus "/libexec/dbus-daemon-launch-helper")))))))
(define (dbus-activation config)
"Return an activation gexp for D-Bus using @var{config}."
@@ -335,8 +339,9 @@ tuples, are all set as environment variables when the bus daemon launches it."
(define polkit-setuid-programs
(match-lambda
(($ <polkit-configuration> polkit)
- (list (file-append polkit "/lib/polkit-1/polkit-agent-helper-1")
- (file-append polkit "/bin/pkexec")))))
+ (map file-like->setuid-program
+ (list (file-append polkit "/lib/polkit-1/polkit-agent-helper-1")
+ (file-append polkit "/bin/pkexec"))))))
(define polkit-service-type
(service-type (name 'polkit)
diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
index cd800fcc2b..6297b8eb0b 100644
--- a/gnu/services/desktop.scm
+++ b/gnu/services/desktop.scm
@@ -12,6 +12,7 @@
;;; Copyright © 2019 David Wilson <david <at> daviwil.com>
;;; Copyright © 2020 Tobias Geerinckx-Rice <me <at> tobias.gr>
;;; Copyright © 2020 Reza Alizadeh Majd <r.majd <at> pantherx.org>
+;; Copyright © 2021 Brice Waegeneire <brice <at> waegenei.re>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -40,6 +41,7 @@
#:use-module ((gnu system file-systems)
#:select (%elogind-file-systems file-system))
#:use-module (gnu system)
+ #:use-module (gnu system setuid)
#:use-module (gnu system shadow)
#:use-module (gnu system pam)
#:use-module (gnu packages glib)
@@ -1034,14 +1036,15 @@ rules."
(define (enlightenment-setuid-programs enlightenment-desktop-configuration)
(match-record enlightenment-desktop-configuration
- <enlightenment-desktop-configuration>
- (enlightenment)
- (list (file-append enlightenment
- "/lib/enlightenment/utils/enlightenment_sys")
- (file-append enlightenment
- "/lib/enlightenment/utils/enlightenment_system")
- (file-append enlightenment
- "/lib/enlightenment/utils/enlightenment_ckpasswd"))))
+ <enlightenment-desktop-configuration>
+ (enlightenment)
+ (map file-like->setuid-program
+ (list (file-append enlightenment
+ "/lib/enlightenment/utils/enlightenment_sys")
+ (file-append enlightenment
+ "/lib/enlightenment/utils/enlightenment_system")
+ (file-append enlightenment
+ "/lib/enlightenment/utils/enlightenment_ckpasswd")))))
(define enlightenment-desktop-service-type
(service-type
@@ -1204,8 +1207,11 @@ or setting its password with passwd.")))
;; Allow desktop users to also mount NTFS and NFS file systems
;; without root.
(simple-service 'mount-setuid-helpers setuid-program-service-type
- (list (file-append nfs-utils "/sbin/mount.nfs")
- (file-append ntfs-3g "/sbin/mount.ntfs-3g")))
+ (map (lambda (program)
+ (setuid-program
+ (program program)))
+ (list (file-append nfs-utils "/sbin/mount.nfs")
+ (file-append ntfs-3g "/sbin/mount.ntfs-3g"))))
;; The global fontconfig cache directory can sometimes contain
;; stale entries, possibly referencing fonts that have been GC'd,
diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm
index be85316180..ef551480aa 100644
--- a/gnu/services/docker.scm
+++ b/gnu/services/docker.scm
@@ -4,6 +4,7 @@
;;; Copyright © 2020, 2021 Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
;;; Copyright © 2020 Efraim Flashner <efraim <at> flashner.co.il>
;;; Copyright © 2020 Jesse Dowell <jessedowell <at> gmail.com>
+;;; Copyright © 2021 Brice Waegeneire <brice <at> waegenei.re>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -26,6 +27,7 @@
#:use-module (gnu services base)
#:use-module (gnu services dbus)
#:use-module (gnu services shepherd)
+ #:use-module (gnu system setuid)
#:use-module (gnu system shadow)
#:use-module (gnu packages docker)
#:use-module (gnu packages linux) ;singularity
@@ -195,9 +197,10 @@ bundles in Docker containers.")
"-helper")))
'("action" "mount" "start")))))
- (list (file-append helpers "/singularity-action-helper")
- (file-append helpers "/singularity-mount-helper")
- (file-append helpers "/singularity-start-helper")))
+ (map file-like->setuid-program
+ (list (file-append helpers "/singularity-action-helper")
+ (file-append helpers "/singularity-mount-helper")
+ (file-append helpers "/singularity-start-helper"))))
(define singularity-service-type
(service-type (name 'singularity)
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index 8ffea3b9dd..d95f8beb7a 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -8,6 +8,7 @@
;;; Copyright © 2020 shtwzrd <shtwzrd <at> protonmail.com>
;;; Copyright © 2020 Jakub Kądziołka <kuba <at> kadziolka.net>
;;; Copyright © 2020 Alex Griffin <a <at> ajgrf.com>
+;;; Copyright © 2021 Brice Waegeneire <brice <at> waegenei.re>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -29,6 +30,7 @@
#:use-module (gnu services)
#:use-module (gnu services shepherd)
#:use-module (gnu system pam)
+ #:use-module (gnu system setuid)
#:use-module (gnu system keyboard)
#:use-module (gnu services base)
#:use-module (gnu services dbus)
@@ -681,7 +683,7 @@ reboot_cmd " shepherd "/sbin/reboot\n"
#:allow-empty-passwords? empty?)))))
(define screen-locker-setuid-programs
- (compose list screen-locker-program))
+ (compose list file-like->setuid-program screen-locker-program))
(define screen-locker-service-type
(service-type (name 'screen-locker)
diff --git a/gnu/system.scm b/gnu/system.scm
index 96b45ede96..8a70f86457 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -1074,22 +1074,23 @@ use 'plain-file' instead~%")
(define %setuid-programs
;; Default set of setuid-root programs.
(let ((shadow (@ (gnu packages admin) shadow)))
- (list (file-append shadow "/bin/passwd")
- (file-append shadow "/bin/sg")
- (file-append shadow "/bin/su")
- (file-append shadow "/bin/newgrp")
- (file-append shadow "/bin/newuidmap")
- (file-append shadow "/bin/newgidmap")
- (file-append inetutils "/bin/ping")
- (file-append inetutils "/bin/ping6")
- (file-append sudo "/bin/sudo")
- (file-append sudo "/bin/sudoedit")
- (file-append fuse "/bin/fusermount")
+ (map file-like->setuid-program
+ (list (file-append shadow "/bin/passwd")
+ (file-append shadow "/bin/sg")
+ (file-append shadow "/bin/su")
+ (file-append shadow "/bin/newgrp")
+ (file-append shadow "/bin/newuidmap")
+ (file-append shadow "/bin/newgidmap")
+ (file-append inetutils "/bin/ping")
+ (file-append inetutils "/bin/ping6")
+ (file-append sudo "/bin/sudo")
+ (file-append sudo "/bin/sudoedit")
+ (file-append fuse "/bin/fusermount")
- ;; To allow mounts with the "user" option, "mount" and "umount" must
- ;; be setuid-root.
- (file-append util-linux "/bin/mount")
- (file-append util-linux "/bin/umount"))))
+ ;; To allow mounts with the "user" option, "mount" and "umount" must
+ ;; be setuid-root.
+ (file-append util-linux "/bin/mount")
+ (file-append util-linux "/bin/umount")))))
(define %sudoers-specification
;; Default /etc/sudoers contents: 'root' and all members of the 'wheel'
--
2.31.1
bug-coreutils <at> gnu.org:bug#44770; Package coreutils.
(Sat, 03 Jul 2021 16:24:01 GMT) Full text and rfc822 format available.Message #25 received at 44770 <at> debbugs.gnu.org (full text, mbox):
From: Brice Waegeneire <brice <at> waegenei.re> To: 44770 <at> debbugs.gnu.org Cc: cwebber <at> dustycloud.org, Brice Waegeneire <brice <at> waegenei.re> Subject: [PATCH v2 1/2] services: setuid: More configurable setuid support. Date: Sat, 3 Jul 2021 18:22:42 +0200
From: Christopher Lemmer Webber <cwebber <at> dustycloud.org>
New record <setuid-program> with fields for setting the specific user
and group, as well as specifically selecting the setuid and setgid bits,
for a program within the setuid-program-service.
* gnu/services.scm (setuid-program-file-like-deprecated): New function.
(setuid-program-service-type): Make use of
setuid-program->activation-gexp. Adjust the extend property to handle
<setuid-program>.
* gnu/build/activation.scm (activate-setuid-programs): Update to expect a
<setuid-record> list for each program entry.
* gnu/system.scm: (operating-system-setuid-programs): Renamed to
%operating-system-setuid-programs and replace it with new procedure.
(operating-system-default-essential-services,
hurd-default-essential-services): Replace
operating-system-setuid-programs with %operating-system-setuid-programs.
* gnu/system/setuid.scm: New file.
Co-authored-by: Brice Waegeneire <brice <at> waegenei.re>
---
gnu/build/activation.scm | 38 ++++++++++++++++++++-------
gnu/services.scm | 45 ++++++++++++++++++++++++++++---
gnu/system.scm | 14 +++++++---
gnu/system/setuid.scm | 57 ++++++++++++++++++++++++++++++++++++++++
4 files changed, 136 insertions(+), 18 deletions(-)
create mode 100644 gnu/system/setuid.scm
diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm
index 2af1d44b5f..ab9255d095 100644
--- a/gnu/build/activation.scm
+++ b/gnu/build/activation.scm
@@ -6,6 +6,8 @@
;;; Copyright © 2018 Arun Isaac <arunisaac <at> systemreboot.net>
;;; Copyright © 2018, 2019 Ricardo Wurmus <rekado <at> elephly.net>
;;; Copyright © 2021 Maxime Devos <maximedevos <at> telenet.be>
+;;; Copyright © 2020 Christopher Lemmer Webber <cwebber <at> dustycloud.org>
+;;; Copyright © 2021 Brice Waegeneire <brice <at> waegenei.re>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -24,6 +26,7 @@
(define-module (gnu build activation)
#:use-module (gnu system accounts)
+ #:use-module (gnu system setuid)
#:use-module (gnu build accounts)
#:use-module (gnu build linux-boot)
#:use-module (guix build utils)
@@ -279,14 +282,17 @@ they already exist."
"/run/setuid-programs")
(define (activate-setuid-programs programs)
- "Turn PROGRAMS, a list of file names, into setuid programs stored under
-%SETUID-DIRECTORY."
- (define (make-setuid-program prog)
+ "Turn PROGRAMS, a list of file setuid-programs record, into setuid programs
+stored under %SETUID-DIRECTORY."
+ (define (make-setuid-program program setuid? setgid? uid gid)
(let ((target (string-append %setuid-directory
- "/" (basename prog))))
- (copy-file prog target)
- (chown target 0 0)
- (chmod target #o4555)))
+ "/" (basename program)))
+ (mode (+ #o0555 ; base permissions
+ (if setuid? #o4000 0) ; setuid bit
+ (if setgid? #o2000 0)))) ; setgid bit
+ (copy-file program target)
+ (chown target uid gid)
+ (chmod target mode)))
(format #t "setting up setuid programs in '~a'...~%"
%setuid-directory)
@@ -302,15 +308,27 @@ they already exist."
(for-each (lambda (program)
(catch 'system-error
(lambda ()
- (make-setuid-program program))
+ (let* ((program-name (setuid-program-program program))
+ (setuid? (setuid-program-setuid? program))
+ (setgid? (setuid-program-setgid? program))
+ (user (setuid-program-user program))
+ (group (setuid-program-group program))
+ (uid (match user
+ ((? string?) (passwd:uid (getpwnam user)))
+ ((? integer?) user)))
+ (gid (match group
+ ((? string?) (group:gid (getgrnam group)))
+ ((? integer?) group))))
+ (make-setuid-program program-name setuid? setgid? uid gid)))
(lambda args
;; If we fail to create a setuid program, better keep going
;; so that we don't leave %SETUID-DIRECTORY empty or
;; half-populated. This can happen if PROGRAMS contains
;; incorrect file names: <https://bugs.gnu.org/38800>.
(format (current-error-port)
- "warning: failed to make '~a' setuid-root: ~a~%"
- program (strerror (system-error-errno args))))))
+ "warning: failed to make ~s setuid/setgid: ~a~%"
+ (setuid-program-program program)
+ (strerror (system-error-errno args))))))
programs))
(define (activate-special-files special-files)
diff --git a/gnu/services.scm b/gnu/services.scm
index 8d413e198e..2f5f67b3a1 100644
--- a/gnu/services.scm
+++ b/gnu/services.scm
@@ -4,6 +4,8 @@
;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke <at> gnu.org>
;;; Copyright © 2020, 2021 Ricardo Wurmus <rekado <at> elephly.net>
;;; Copyright © 2021 raid5atemyhomework <raid5atemyhomework <at> protonmail.com>
+;;; Copyright © 2020 Christopher Lemmer Webber <cwebber <at> dustycloud.org>
+;;; Copyright © 2020, 2021 Brice Waegeneire <brice <at> waegenei.re>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -40,6 +42,7 @@
#:use-module (gnu packages base)
#:use-module (gnu packages bash)
#:use-module (gnu packages hurd)
+ #:use-module (gnu system setuid)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-9)
#:use-module (srfi srfi-9 gnu)
@@ -801,15 +804,49 @@ directory."
FILES must be a list of name/file-like object pairs."
(service etc-service-type files))
+(define (setuid-program->activation-gexp programs)
+ "Return an activation gexp for setuid-program from PROGRAMS."
+ (let ((programs (map (lambda (program)
+ ;; FIXME This is really ugly, I didn't managed to use
+ ;; "inherit"
+ (let ((program-name (setuid-program-program program))
+ (setuid? (setuid-program-setuid? program))
+ (setgid? (setuid-program-setgid? program))
+ (user (setuid-program-user program))
+ (group (setuid-program-group program)) )
+ #~(setuid-program
+ (setuid? #$setuid?)
+ (setgid? #$setgid?)
+ (user #$user)
+ (group #$group)
+ (program #$program-name))))
+ programs)))
+ (with-imported-modules (source-module-closure
+ '((gnu system setuid)))
+ #~(begin
+ (use-modules (gnu system setuid))
+
+ (activate-setuid-programs (list #$@programs))))))
+
+(define (setuid-program-file-like-deprecated file-like)
+ (match file-like
+ ((? file-like? program)
+ (warning
+ (G_ "representing setuid programs with '~a' is \
+deprecated; use 'setuid-program' instead~%") program)
+ (setuid-program (program program)))
+ ((? setuid-program? program)
+ program)))
+
(define setuid-program-service-type
(service-type (name 'setuid-program)
(extensions
(list (service-extension activation-service-type
- (lambda (programs)
- #~(activate-setuid-programs
- (list #$@programs))))))
+ setuid-program->activation-gexp)))
(compose concatenate)
- (extend append)
+ (extend (lambda (config extensions)
+ (map setuid-program-file-like-deprecated
+ (append config extensions))))
(description
"Populate @file{/run/setuid-programs} with the specified
executables, making them setuid-root.")))
diff --git a/gnu/system.scm b/gnu/system.scm
index 8a3ae27d04..96b45ede96 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -7,7 +7,7 @@
;;; Copyright © 2019 Meiyo Peng <meiyo.peng <at> gmail.com>
;;; Copyright © 2019, 2020 Miguel Ángel Arruga Vivas <rosen644835 <at> gmail.com>
;;; Copyright © 2020 Danny Milosavljevic <dannym <at> scratchpost.org>
-;;; Copyright © 2020 Brice Waegeneire <brice <at> waegenei.re>
+;;; Copyright © 2020, 2021 Brice Waegeneire <brice <at> waegenei.re>
;;; Copyright © 2020 Florian Pelz <pelzflorian <at> pelzflorian.de>
;;; Copyright © 2020 Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <jannek <at> gnu.org>
@@ -74,6 +74,7 @@
#:use-module (gnu system locale)
#:use-module (gnu system pam)
#:use-module (gnu system linux-initrd)
+ #:use-module (gnu system setuid)
#:use-module (gnu system uuid)
#:use-module (gnu system file-systems)
#:use-module (gnu system mapped-devices)
@@ -267,7 +268,7 @@
(pam-services operating-system-pam-services ; list of PAM services
(default (base-pam-services)))
- (setuid-programs operating-system-setuid-programs
+ (setuid-programs %operating-system-setuid-programs
(default %setuid-programs)) ; list of string-valued gexps
(sudoers-file operating-system-sudoers-file ; file-like
@@ -671,7 +672,7 @@ bookkeeping."
(operating-system-environment-variables os))
host-name procs root-fs
(service setuid-program-service-type
- (operating-system-setuid-programs os))
+ (%operating-system-setuid-programs os))
(service profile-service-type
(operating-system-packages os))
other-fs
@@ -701,7 +702,7 @@ bookkeeping."
(pam-root-service (operating-system-pam-services os))
(operating-system-etc-service os)
(service setuid-program-service-type
- (operating-system-setuid-programs os))
+ (%operating-system-setuid-programs os))
(service profile-service-type (operating-system-packages os)))))
(define* (operating-system-services os)
@@ -1065,6 +1066,11 @@ use 'plain-file' instead~%")
;; TODO: Remove when glibc <at> 2.23 is long gone.
("GUIX_LOCPATH" . "/run/current-system/locale")))
+(define (operating-system-setuid-programs os)
+ "Return the setuid programs for OS, as a list of setuid-program record."
+ (map file-like->setuid-program
+ (%operating-system-setuid-programs os)))
+
(define %setuid-programs
;; Default set of setuid-root programs.
(let ((shadow (@ (gnu packages admin) shadow)))
diff --git a/gnu/system/setuid.scm b/gnu/system/setuid.scm
new file mode 100644
index 0000000000..e8b9c0df81
--- /dev/null
+++ b/gnu/system/setuid.scm
@@ -0,0 +1,57 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2021 Brice Waegeneire <brice <at> waegenei.re>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu system setuid)
+ #:use-module (guix records)
+ #:export (setuid-program
+ setuid-program?
+ setuid-program-program
+ setuid-program-setuid?
+ setuid-program-setgid?
+ setuid-program-user
+ setuid-program-group
+
+ file-like->setuid-program))
+
+;;; Commentary:
+;;;
+;;; Data structures representing setuid/setgid programs. This is meant to be
+;;; used both on the host side and at run time--e.g., in activation snippets.
+;;;
+;;; Code:
+
+(define-record-type* <setuid-program>
+ setuid-program make-setuid-program
+ setuid-program?
+ ;; Path to program to link with setuid permissions
+ (program setuid-program-program) ;file-like
+ ;; Whether to set user setuid bit
+ (setuid? setuid-program-setuid? ;boolean
+ (default #t))
+ ;; Whether to set user setgid bit
+ (setgid? setuid-program-setgid? ;boolean
+ (default #f))
+ ;; The user this should be set to (defaults to root)
+ (user setuid-program-user ;integer or string
+ (default 0))
+ ;; Group we want to set this to (defaults to root)
+ (group setuid-program-group ;integer or string
+ (default 0)))
+
+(define (file-like->setuid-program program)
+ (setuid-program (program program)))
--
2.31.1
bug-coreutils <at> gnu.org:bug#44770; Package coreutils.
(Mon, 05 Jul 2021 15:19:02 GMT) Full text and rfc822 format available.Message #28 received at 44770 <at> debbugs.gnu.org (full text, mbox):
From: Chris Lemmer-Webber <cwebber <at> dustycloud.org> To: Brice Waegeneire <brice <at> waegenei.re> Cc: 44770 <at> debbugs.gnu.org Subject: Re: [PATCH v2 0/2] services: setuid: More configurable setuid support. Date: Mon, 05 Jul 2021 11:18:57 -0400
Ooh! Taking a look! Brice Waegeneire writes: > Hello Christopher, > > Some times ago I continued your patch from where you left it. If I recall > correctly it should address all the suggestions from Ludo' and Maxim. I'm > using it for several month now without any issue. > > Thank your for your work on this issue Christopher! Thank you! A request... could you rename my name in the patches to Chris Lemmer-Webber? There have been some recent changes: https://dustycloud.org/blog/nonbinary-trans-femme/ "-topher" is now a deprecated suffix and I am moving to consistency with my spouse in having a dash in my last name. :) > Cheers, > - Brice > > Brice Waegeneire (1): > services: Migrate to <setuid-program>. > > Christopher Lemmer Webber (1): > services: setuid: More configurable setuid support. > > gnu/build/activation.scm | 38 ++++++++++++++++++++------- > gnu/services.scm | 45 ++++++++++++++++++++++++++++--- > gnu/services/dbus.scm | 13 ++++++--- > gnu/services/desktop.scm | 26 +++++++++++------- > gnu/services/docker.scm | 9 ++++--- > gnu/services/xorg.scm | 4 ++- > gnu/system.scm | 45 +++++++++++++++++-------------- > gnu/system/setuid.scm | 57 ++++++++++++++++++++++++++++++++++++++++ > 8 files changed, 186 insertions(+), 51 deletions(-) > create mode 100644 gnu/system/setuid.scm
bug-coreutils <at> gnu.org:bug#44770; Package coreutils.
(Mon, 05 Jul 2021 15:25:01 GMT) Full text and rfc822 format available.Message #31 received at 44770 <at> debbugs.gnu.org (full text, mbox):
From: Chris Lemmer-Webber <cwebber <at> dustycloud.org> To: Brice Waegeneire <brice <at> waegenei.re> Cc: 44770 <at> debbugs.gnu.org Subject: Re: [PATCH v2 1/2] services: setuid: More configurable setuid support. Date: Mon, 05 Jul 2021 11:24:09 -0400
Brice Waegeneire writes:
> From: Christopher Lemmer Webber <cwebber <at> dustycloud.org>
>
> New record <setuid-program> with fields for setting the specific user
> and group, as well as specifically selecting the setuid and setgid bits,
> for a program within the setuid-program-service.
>
> * gnu/services.scm (setuid-program-file-like-deprecated): New function.
> (setuid-program-service-type): Make use of
> setuid-program->activation-gexp. Adjust the extend property to handle
> <setuid-program>.
> * gnu/build/activation.scm (activate-setuid-programs): Update to expect a
> <setuid-record> list for each program entry.
> * gnu/system.scm: (operating-system-setuid-programs): Renamed to
> %operating-system-setuid-programs and replace it with new procedure.
> (operating-system-default-essential-services,
> hurd-default-essential-services): Replace
> operating-system-setuid-programs with %operating-system-setuid-programs.
Should fix the indentation here for consistency. Might have been my fault.
> * gnu/system/setuid.scm: New file.
>
> Co-authored-by: Brice Waegeneire <brice <at> waegenei.re>
> ---
> gnu/build/activation.scm | 38 ++++++++++++++++++++-------
> gnu/services.scm | 45 ++++++++++++++++++++++++++++---
> gnu/system.scm | 14 +++++++---
> gnu/system/setuid.scm | 57 ++++++++++++++++++++++++++++++++++++++++
> 4 files changed, 136 insertions(+), 18 deletions(-)
> create mode 100644 gnu/system/setuid.scm
>
> diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm
> index 2af1d44b5f..ab9255d095 100644
> --- a/gnu/build/activation.scm
> +++ b/gnu/build/activation.scm
> @@ -6,6 +6,8 @@
> ;;; Copyright © 2018 Arun Isaac <arunisaac <at> systemreboot.net>
> ;;; Copyright © 2018, 2019 Ricardo Wurmus <rekado <at> elephly.net>
> ;;; Copyright © 2021 Maxime Devos <maximedevos <at> telenet.be>
> +;;; Copyright © 2020 Christopher Lemmer Webber <cwebber <at> dustycloud.org>
So yeah, change the copyright here too if you don't mind :)
> +;;; Copyright © 2021 Brice Waegeneire <brice <at> waegenei.re>
> ;;;
> ;;; This file is part of GNU Guix.
> ;;;
> @@ -24,6 +26,7 @@
>
> (define-module (gnu build activation)
> #:use-module (gnu system accounts)
> + #:use-module (gnu system setuid)
> #:use-module (gnu build accounts)
> #:use-module (gnu build linux-boot)
> #:use-module (guix build utils)
> @@ -279,14 +282,17 @@ they already exist."
> "/run/setuid-programs")
>
> (define (activate-setuid-programs programs)
> - "Turn PROGRAMS, a list of file names, into setuid programs stored under
> -%SETUID-DIRECTORY."
> - (define (make-setuid-program prog)
> + "Turn PROGRAMS, a list of file setuid-programs record, into setuid programs
> +stored under %SETUID-DIRECTORY."
> + (define (make-setuid-program program setuid? setgid? uid gid)
> (let ((target (string-append %setuid-directory
> - "/" (basename prog))))
> - (copy-file prog target)
> - (chown target 0 0)
> - (chmod target #o4555)))
> + "/" (basename program)))
> + (mode (+ #o0555 ; base permissions
> + (if setuid? #o4000 0) ; setuid bit
> + (if setgid? #o2000 0)))) ; setgid bit
> + (copy-file program target)
> + (chown target uid gid)
> + (chmod target mode)))
>
> (format #t "setting up setuid programs in '~a'...~%"
> %setuid-directory)
> @@ -302,15 +308,27 @@ they already exist."
> (for-each (lambda (program)
> (catch 'system-error
> (lambda ()
> - (make-setuid-program program))
> + (let* ((program-name (setuid-program-program program))
> + (setuid? (setuid-program-setuid? program))
> + (setgid? (setuid-program-setgid? program))
> + (user (setuid-program-user program))
> + (group (setuid-program-group program))
> + (uid (match user
> + ((? string?) (passwd:uid (getpwnam user)))
> + ((? integer?) user)))
> + (gid (match group
> + ((? string?) (group:gid (getgrnam group)))
> + ((? integer?) group))))
> + (make-setuid-program program-name setuid? setgid? uid gid)))
Oh, looks like you got rid of my match here. I guess it wasn't needed
to deconstruct the arguments and reconstruct them the way I had?
Oh, it looks like this is what Ludo suggested. Well nice job pulling it
off then :)
> (lambda args
> ;; If we fail to create a setuid program, better keep going
> ;; so that we don't leave %SETUID-DIRECTORY empty or
> ;; half-populated. This can happen if PROGRAMS contains
> ;; incorrect file names: <https://bugs.gnu.org/38800>.
> (format (current-error-port)
> - "warning: failed to make '~a' setuid-root: ~a~%"
> - program (strerror (system-error-errno args))))))
> + "warning: failed to make ~s setuid/setgid: ~a~%"
> + (setuid-program-program program)
> + (strerror (system-error-errno args))))))
> programs))
>
> (define (activate-special-files special-files)
> diff --git a/gnu/services.scm b/gnu/services.scm
> index 8d413e198e..2f5f67b3a1 100644
> --- a/gnu/services.scm
> +++ b/gnu/services.scm
> @@ -4,6 +4,8 @@
> ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke <at> gnu.org>
> ;;; Copyright © 2020, 2021 Ricardo Wurmus <rekado <at> elephly.net>
> ;;; Copyright © 2021 raid5atemyhomework <raid5atemyhomework <at> protonmail.com>
> +;;; Copyright © 2020 Christopher Lemmer Webber <cwebber <at> dustycloud.org>
Name change here too please...!
> +;;; Copyright © 2020, 2021 Brice Waegeneire <brice <at> waegenei.re>
> ;;;
> ;;; This file is part of GNU Guix.
> ;;;
> @@ -40,6 +42,7 @@
> #:use-module (gnu packages base)
> #:use-module (gnu packages bash)
> #:use-module (gnu packages hurd)
> + #:use-module (gnu system setuid)
> #:use-module (srfi srfi-1)
> #:use-module (srfi srfi-9)
> #:use-module (srfi srfi-9 gnu)
> @@ -801,15 +804,49 @@ directory."
> FILES must be a list of name/file-like object pairs."
> (service etc-service-type files))
>
> +(define (setuid-program->activation-gexp programs)
> + "Return an activation gexp for setuid-program from PROGRAMS."
> + (let ((programs (map (lambda (program)
> + ;; FIXME This is really ugly, I didn't managed to use
> + ;; "inherit"
> + (let ((program-name (setuid-program-program program))
> + (setuid? (setuid-program-setuid? program))
> + (setgid? (setuid-program-setgid? program))
> + (user (setuid-program-user program))
> + (group (setuid-program-group program)) )
> + #~(setuid-program
> + (setuid? #$setuid?)
> + (setgid? #$setgid?)
> + (user #$user)
> + (group #$group)
> + (program #$program-name))))
> + programs)))
> + (with-imported-modules (source-module-closure
> + '((gnu system setuid)))
> + #~(begin
> + (use-modules (gnu system setuid))
> +
> + (activate-setuid-programs (list #$@programs))))))
> +
> +(define (setuid-program-file-like-deprecated file-like)
> + (match file-like
> + ((? file-like? program)
> + (warning
> + (G_ "representing setuid programs with '~a' is \
> +deprecated; use 'setuid-program' instead~%") program)
> + (setuid-program (program program)))
> + ((? setuid-program? program)
> + program)))
> +
> (define setuid-program-service-type
> (service-type (name 'setuid-program)
> (extensions
> (list (service-extension activation-service-type
> - (lambda (programs)
> - #~(activate-setuid-programs
> - (list #$@programs))))))
> + setuid-program->activation-gexp)))
> (compose concatenate)
> - (extend append)
> + (extend (lambda (config extensions)
> + (map setuid-program-file-like-deprecated
> + (append config extensions))))
> (description
> "Populate @file{/run/setuid-programs} with the specified
> executables, making them setuid-root.")))
> diff --git a/gnu/system.scm b/gnu/system.scm
> index 8a3ae27d04..96b45ede96 100644
> --- a/gnu/system.scm
> +++ b/gnu/system.scm
> @@ -7,7 +7,7 @@
> ;;; Copyright © 2019 Meiyo Peng <meiyo.peng <at> gmail.com>
> ;;; Copyright © 2019, 2020 Miguel Ángel Arruga Vivas <rosen644835 <at> gmail.com>
> ;;; Copyright © 2020 Danny Milosavljevic <dannym <at> scratchpost.org>
> -;;; Copyright © 2020 Brice Waegeneire <brice <at> waegenei.re>
> +;;; Copyright © 2020, 2021 Brice Waegeneire <brice <at> waegenei.re>
> ;;; Copyright © 2020 Florian Pelz <pelzflorian <at> pelzflorian.de>
> ;;; Copyright © 2020 Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
> ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <jannek <at> gnu.org>
> @@ -74,6 +74,7 @@
> #:use-module (gnu system locale)
> #:use-module (gnu system pam)
> #:use-module (gnu system linux-initrd)
> + #:use-module (gnu system setuid)
> #:use-module (gnu system uuid)
> #:use-module (gnu system file-systems)
> #:use-module (gnu system mapped-devices)
> @@ -267,7 +268,7 @@
>
> (pam-services operating-system-pam-services ; list of PAM services
> (default (base-pam-services)))
> - (setuid-programs operating-system-setuid-programs
> + (setuid-programs %operating-system-setuid-programs
> (default %setuid-programs)) ; list of string-valued gexps
>
> (sudoers-file operating-system-sudoers-file ; file-like
> @@ -671,7 +672,7 @@ bookkeeping."
> (operating-system-environment-variables os))
> host-name procs root-fs
> (service setuid-program-service-type
> - (operating-system-setuid-programs os))
> + (%operating-system-setuid-programs os))
> (service profile-service-type
> (operating-system-packages os))
> other-fs
> @@ -701,7 +702,7 @@ bookkeeping."
> (pam-root-service (operating-system-pam-services os))
> (operating-system-etc-service os)
> (service setuid-program-service-type
> - (operating-system-setuid-programs os))
> + (%operating-system-setuid-programs os))
> (service profile-service-type (operating-system-packages os)))))
>
> (define* (operating-system-services os)
> @@ -1065,6 +1066,11 @@ use 'plain-file' instead~%")
> ;; TODO: Remove when glibc <at> 2.23 is long gone.
> ("GUIX_LOCPATH" . "/run/current-system/locale")))
>
> +(define (operating-system-setuid-programs os)
> + "Return the setuid programs for OS, as a list of setuid-program record."
> + (map file-like->setuid-program
> + (%operating-system-setuid-programs os)))
> +
> (define %setuid-programs
> ;; Default set of setuid-root programs.
> (let ((shadow (@ (gnu packages admin) shadow)))
> diff --git a/gnu/system/setuid.scm b/gnu/system/setuid.scm
> new file mode 100644
> index 0000000000..e8b9c0df81
> --- /dev/null
> +++ b/gnu/system/setuid.scm
> @@ -0,0 +1,57 @@
> +;;; GNU Guix --- Functional package management for GNU
> +;;; Copyright © 2021 Brice Waegeneire <brice <at> waegenei.re>
> +;;;
> +;;; This file is part of GNU Guix.
> +;;;
> +;;; GNU Guix is free software; you can redistribute it and/or modify it
> +;;; under the terms of the GNU General Public License as published by
> +;;; the Free Software Foundation; either version 3 of the License, or (at
> +;;; your option) any later version.
> +;;;
> +;;; GNU Guix is distributed in the hope that it will be useful, but
> +;;; WITHOUT ANY WARRANTY; without even the implied warranty of
> +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> +;;; GNU General Public License for more details.
> +;;;
> +;;; You should have received a copy of the GNU General Public License
> +;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
> +
> +(define-module (gnu system setuid)
> + #:use-module (guix records)
> + #:export (setuid-program
> + setuid-program?
> + setuid-program-program
> + setuid-program-setuid?
> + setuid-program-setgid?
> + setuid-program-user
> + setuid-program-group
> +
> + file-like->setuid-program))
> +
> +;;; Commentary:
> +;;;
> +;;; Data structures representing setuid/setgid programs. This is meant to be
> +;;; used both on the host side and at run time--e.g., in activation snippets.
> +;;;
> +;;; Code:
> +
> +(define-record-type* <setuid-program>
> + setuid-program make-setuid-program
> + setuid-program?
> + ;; Path to program to link with setuid permissions
> + (program setuid-program-program) ;file-like
> + ;; Whether to set user setuid bit
> + (setuid? setuid-program-setuid? ;boolean
> + (default #t))
> + ;; Whether to set user setgid bit
> + (setgid? setuid-program-setgid? ;boolean
> + (default #f))
> + ;; The user this should be set to (defaults to root)
> + (user setuid-program-user ;integer or string
> + (default 0))
> + ;; Group we want to set this to (defaults to root)
> + (group setuid-program-group ;integer or string
> + (default 0)))
> +
> +(define (file-like->setuid-program program)
> + (setuid-program (program program)))
Paul Eggert <eggert <at> cs.ucla.edu>:積丹尼 Dan Jacobson <jidanni <at> jidanni.org>:Message #36 received at 44770-done <at> debbugs.gnu.org (full text, mbox):
From: Paul Eggert <eggert <at> cs.ucla.edu> To: Dan Jacobson <jidanni <at> jidanni.org> Cc: 44770-done <at> debbugs.gnu.org Subject: chown: warn when encountering deprecated dot separator Date: Thu, 24 Feb 2022 18:23:38 -0800
[Message part 1 (text/plain, inline)]
Thanks for the suggestion. I installed the attached patches to do that.
[0001-build-update-gnulib-submodule-to-latest.patch (text/x-patch, attachment)]
[0002-chown-warn-about-USER.GROUP.patch (text/x-patch, attachment)]
Debbugs Internal Request <help-debbugs <at> gnu.org>
to internal_control <at> debbugs.gnu.org.
(Fri, 25 Mar 2022 11:24:08 GMT) Full text and rfc822 format available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.