GNU bug report logs - #62725
Undefined activation ordering between ‘setuid-program-service-type’ and ‘account-service-type’

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Reported by: Brian Cully <bjc@HIDDEN>; dated Sat, 8 Apr 2023 15:05:02 UTC; Maintainer for guix is bug-guix@HIDDEN.
Added blocking bug(s) 62726 Request was from Leo Famulari <leo@HIDDEN> to control <at> Full text available.

Message received at submit <at>

Received: (at submit) by; 8 Apr 2023 15:04:27 +0000
From debbugs-submit-bounces <at> Sat Apr 08 11:04:27 2023
Received: from localhost ([]:59300
	by with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at>>)
	id 1plA79-0006Op-8M
	for submit <at>; Sat, 08 Apr 2023 11:04:27 -0400
Received: from ([]:39876)
 by with esmtp (Exim 4.84_2)
 (envelope-from <bjc@HIDDEN>) id 1plA77-0006Oh-LL
 for submit <at>; Sat, 08 Apr 2023 11:04:26 -0400
Received: from ([2001:470:142:3::10])
 by with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <bjc@HIDDEN>) id 1plA77-0002N3-0X
 for bug-guix@HIDDEN; Sat, 08 Apr 2023 11:04:25 -0400
Received: from ([]
 by with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <bjc@HIDDEN>) id 1plA75-0003W0-Gg
 for bug-guix@HIDDEN; Sat, 08 Apr 2023 11:04:24 -0400
Received: from psyduck ( [])
 by (Postfix) with ESMTPSA id 553B9A86E
 for <bug-guix@HIDDEN>; Sat,  8 Apr 2023 11:04:06 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=dkim;
 t=1680966246; bh=jF/JkC3ivVgibGXvzyKDDYPP9VPaEKtX7T2LggvK0wk=;
User-agent: mu4e 1.10.0; emacs 28.2
From: Brian Cully <bjc@HIDDEN>
To: bug-guix@HIDDEN
Subject: Undefined activation ordering between =?utf-8?Q?=E2=80=98setuid-p?=
 and =?utf-8?Q?=E2=80=98account-service-type=E2=80=99?=
Date: Sat, 08 Apr 2023 10:53:07 -0400
Message-ID: <878rf24dqz.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=; envelope-from=bjc@HIDDEN;
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at>
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <>
List-Unsubscribe: <>, 
 <mailto:debbugs-submit-request <at>>
List-Archive: <>
List-Post: <mailto:debbugs-submit <at>>
List-Help: <mailto:debbugs-submit-request <at>>
List-Subscribe: <>, 
 <mailto:debbugs-submit-request <at>>
Errors-To: debbugs-submit-bounces <at>
Sender: "Debbugs-submit" <debbugs-submit-bounces <at>>
X-Spam-Score: -2.3 (--)

There is currently no way to ensure that an account exists before=20
creating /run/setuid-programs, which means a setuid-program which=20
uses a custom user or group will fail to be created if setuid=20
activation happens before account activation.

As an example, here's a system config where I'm trying to install=20
=E2=80=98/run/setuid-programs/dumpcap=E2=80=99 as setuid root with a primar=
y group=20
of =E2=80=98wireshark=E2=80=99, also created by this config:

--8<---------------cut here---------------start------------->8---
(use-modules (gnu)
             (gnu system setuid))
(use-package-modules networking)
(use-service-modules setuid)

;; TODO: make name configurable
(define %wireshark-groups
  (list (user-group
         (name "wireshark")
         (system? #t))))

(define %wireshark-setuid-programs
  (list (setuid-program
         (program (file-append wireshark "/bin/dumpcap"))
         (group "wireshark")
         #;(mask #o550))))

(define wireshark-service-type
   (name 'wireshark)
   (description "Allow use of wireshark by regular users in the=20
   @code{wireshark} group.")
    (list (service-extension account-service-type
                             (const %wireshark-groups))
          (service-extension setuid-program-service-type
                             (const %wireshark-setuid-programs))))
   (default-value #f)))

  (locale "en_US.utf8")
  (timezone "America/New_York")
  (keyboard-layout (keyboard-layout "us"))
  (host-name "wireshark-test")

  (users (cons* (user-account
                 (name "test")
                 (group "users")
                 (password (crypt "test" "$6$test"))
    (specification->package "wireshark")

    (service wireshark-service-type)

    (bootloader grub-efi-bootloader)
    (targets '("/boot/efi"))
    (keyboard-layout keyboard-layout)))

   (cons* (file-system
            (mount-point "/")
             (uuid "14f4e958-be9e-41bb-bd25-e90a7330093c"
            (type "btrfs"))
            (mount-point "/boot/efi")
            (device (uuid "6866-56B1" 'fat32))
            (type "vfat"))
--8<---------------cut here---------------end--------------->8---

When trying to boot this system in a VM, I'm told that the dumpcap=20
binary couldn't be created because the file wasn't found. The=20
returned error is improperly attributed: the source file does=20
exist, and the error code is actually coming from getgrent(3)=20
which cannot find the =E2=80=98wireshark=E2=80=99 group.

Tracing through the activation scripts shows this to be because,=20
in this case, setuid-program activation happens before=20

Thanks to jpoiret for doing a lot of the investigative work here,=20
which I'm merely verifying through testing.

I believe the correct solution here is to move =E2=80=98setuid-program=E2=
activation to a one-shot Shepherd service, because Shepherd allows=20
explicit ordering, as well as other advantages. To that end, I=20
have a patch which does precisely that, which I will send to the=20
patches list shorty.


Acknowledgement sent to Brian Cully <bjc@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#62725; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Sat, 8 Apr 2023 17:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.