X-Loop: help-debbugs@HIDDEN
Subject: [bug#62726] services: Activate `setuid-program-service-type' in shepherd.
Resent-From: Brian Cully <bjc@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Sat, 08 Apr 2023 15:11:01 +0000
Resent-Message-ID: <handler.62726.B.168096666025210 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: report 62726
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords:
To: 62726 <at> debbugs.gnu.org
X-Debbugs-Original-To: guix-patches@HIDDEN
Received: via spool by submit <at> debbugs.gnu.org id=B.168096666025210
(code B ref -1); Sat, 08 Apr 2023 15:11:01 +0000
Received: (at submit) by debbugs.gnu.org; 8 Apr 2023 15:11:00 +0000
Received: from localhost ([127.0.0.1]:59307 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1plADU-0006YY-6V
for submit <at> debbugs.gnu.org; Sat, 08 Apr 2023 11:11:00 -0400
Received: from lists.gnu.org ([209.51.188.17]:44504)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <bjc@HIDDEN>) id 1plADR-0006YQ-UD
for submit <at> debbugs.gnu.org; Sat, 08 Apr 2023 11:10:58 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <bjc@HIDDEN>) id 1plADR-0003Nq-Co
for guix-patches@HIDDEN; Sat, 08 Apr 2023 11:10:57 -0400
Received: from coleridge.kublai.com ([166.84.7.167] helo=mail.spork.org)
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <bjc@HIDDEN>) id 1plADQ-000589-4A
for guix-patches@HIDDEN; Sat, 08 Apr 2023 11:10:57 -0400
Received: from psyduck (ool-18b8e9e7.dyn.optonline.net [24.184.233.231])
by mail.spork.org (Postfix) with ESMTPSA id 22718A9B1
for <guix-patches@HIDDEN>; Sat, 8 Apr 2023 11:10:55 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=spork.org; s=dkim;
t=1680966655; bh=sHcQ9mA9MFL52kfxADaw+YggF0Im0NLBN+kfhvzNzfw=;
h=From:To:Subject:Date;
b=ov6OMkTdzhIKMJEU/lxZgSx6cE5YVPCcIUGqsDFCX7dfhrDovqNhdjvcGEaMsi7OF
4fgFSFvxKDWnGtdpUH6N8Jpb2RcLo1jZcRWb4qIT1dIJeASXjtq6LoKvMbiTtK/kxk
gnR0lgvO1KJKl748JW0JNpfZ11MZaaOPwOIn4nCY=
User-agent: mu4e 1.10.0; emacs 28.2
From: Brian Cully <bjc@HIDDEN>
Date: Sat, 08 Apr 2023 11:09:43 -0400
Message-ID: <874jpq4dfi.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
Received-SPF: pass client-ip=166.84.7.167; envelope-from=bjc@HIDDEN;
helo=mail.spork.org
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)
This patch moves setuid activation to a one-shot shepherd service,
and fixes #62725.
--
-bjc
Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) Content-Type: text/plain; charset=utf-8 X-Loop: help-debbugs@HIDDEN From: help-debbugs@HIDDEN (GNU bug Tracking System) To: Brian Cully <bjc@HIDDEN> Subject: bug#62726: Acknowledgement (services: Activate `setuid-program-service-type' in shepherd.) Message-ID: <handler.62726.B.168096666025210.ack <at> debbugs.gnu.org> References: <874jpq4dfi.fsf@HIDDEN> X-Gnu-PR-Message: ack 62726 X-Gnu-PR-Package: guix-patches Reply-To: 62726 <at> debbugs.gnu.org Date: Sat, 08 Apr 2023 15:11:02 +0000 Thank you for filing a new bug report with debbugs.gnu.org. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): guix-patches@HIDDEN If you wish to submit further information on this problem, please send it to 62726 <at> debbugs.gnu.org. Please do not send mail to help-debbugs@HIDDEN unless you wish to report a problem with the Bug-tracking system. --=20 62726: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D62726 GNU Bug Tracking System Contact help-debbugs@HIDDEN with problems
X-Loop: help-debbugs@HIDDEN
Subject: [bug#62726] [PATCH] services: Activate `setuid-program-service-type' in shepherd.
References: <874jpq4dfi.fsf@HIDDEN>
In-Reply-To: <874jpq4dfi.fsf@HIDDEN>
Resent-From: Brian Cully <bjc@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Sat, 08 Apr 2023 15:17:01 +0000
Resent-Message-ID: <handler.62726.B62726.168096700025788 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 62726
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords:
To: 62726 <at> debbugs.gnu.org
Cc: Brian Cully <bjc@HIDDEN>
Received: via spool by 62726-submit <at> debbugs.gnu.org id=B62726.168096700025788
(code B ref 62726); Sat, 08 Apr 2023 15:17:01 +0000
Received: (at 62726) by debbugs.gnu.org; 8 Apr 2023 15:16:40 +0000
Received: from localhost ([127.0.0.1]:59317 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1plAIx-0006hs-6G
for submit <at> debbugs.gnu.org; Sat, 08 Apr 2023 11:16:39 -0400
Received: from coleridge.kublai.com ([166.84.7.167]:61860 helo=mail.spork.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <bjc@HIDDEN>) id 1plAIv-0006hi-KX
for 62726 <at> debbugs.gnu.org; Sat, 08 Apr 2023 11:16:38 -0400
Received: from psyduck.jhoto.kublai.com (ool-18b8e9e7.dyn.optonline.net
[24.184.233.231])
by mail.spork.org (Postfix) with ESMTPSA id 70729A86F;
Sat, 8 Apr 2023 11:16:37 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=spork.org; s=dkim;
t=1680966997; bh=EQMMz5hm8clzjPwU1kyvrDlgAD2TtLv5f1zpwcqNZu0=;
h=From:To:Cc:Subject:Date;
b=eIvW8TzpzZzwltsFq2aEjkY33OluBiFPNfdSCiBu101cIkv5s527PKPTzCTTELu6K
2QWeEUzXVYvhAu79B4CvjHXIkMP5y3R4LyO7/fMGH6T96CnTLz3Jbyt1u0zy0PFE9I
3pskbzfLRFSA2ZdPQ1K5zfDZZI7xeOmay88OTgDA=
From: Brian Cully <bjc@HIDDEN>
Date: Sat, 8 Apr 2023 11:16:35 -0400
Message-Id: <c8454cf94417a48931f2583c9af14df83820d354.1680966995.git.bjc@HIDDEN>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Activate using a one-shot Shepherd service on boot, rather than attaching to
`activation-service-type' to populate `/run/setuid-programs'.
In order to prevent a dependency cycle between (gnu services) and (gnu
services shepherd), introduce a new module (gnu services setuid) and deprecate
the import of `setuid-program-service-type' from (gnu services).
* gnu/local.mk (GNU_SYSTEM_MODULES): add setuid.scm.
* gnu/services.scm (setuid-program-service-type): deprecate.
* gnu/services/setuid.scm: new module.
* gnu/services/dbus.scm (gnu): import (gnu services setuid).
* gnu/services/desktop.scm (gnu): import (gnu services setuid).
* gnu/services/docker.scm (gnu): import (gnu services setuid).
* gnu/services/mail.scm (gnu): import (gnu services setuid).
* gnu/services/xorg.scm (gnu): import (gnu services setuid).
* gnu/system.scm (gnu): import (gnu services setuid).
---
gnu/local.mk | 1 +
gnu/services.scm | 40 +++---------------------------
gnu/services/dbus.scm | 1 +
gnu/services/desktop.scm | 1 +
gnu/services/docker.scm | 1 +
gnu/services/mail.scm | 1 +
gnu/services/setuid.scm | 53 ++++++++++++++++++++++++++++++++++++++++
gnu/services/xorg.scm | 1 +
gnu/system.scm | 1 +
9 files changed, 63 insertions(+), 37 deletions(-)
create mode 100644 gnu/services/setuid.scm
diff --git a/gnu/local.mk b/gnu/local.mk
index b7e19b6bc2..55dae3426a 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -704,6 +704,7 @@ GNU_SYSTEM_MODULES = \
%D%/services/rsync.scm \
%D%/services/samba.scm \
%D%/services/sddm.scm \
+ %D%/services/setuid.scm \
%D%/services/spice.scm \
%D%/services/ssh.scm \
%D%/services/syncthing.scm \
diff --git a/gnu/services.scm b/gnu/services.scm
index d6c7ad0553..f42d4bc15f 100644
--- a/gnu/services.scm
+++ b/gnu/services.scm
@@ -43,7 +43,6 @@ (define-module (gnu services)
#:use-module (gnu packages base)
#:use-module (gnu packages bash)
#:use-module (gnu packages hurd)
- #:use-module (gnu system setuid)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-9)
#:use-module (srfi srfi-9 gnu)
@@ -110,7 +109,7 @@ (define-module (gnu services)
extra-special-file
etc-service-type
etc-directory
- setuid-program-service-type
+ setuid-program-service-type ; deprecated
profile-service-type
firmware-service-type
gc-root-service-type
@@ -811,41 +810,8 @@ (define-deprecated (etc-service files)
FILES must be a list of name/file-like object pairs."
(service etc-service-type files))
-(define (setuid-program->activation-gexp programs)
- "Return an activation gexp for setuid-program from PROGRAMS."
- (let ((programs (map (lambda (program)
- ;; FIXME This is really ugly, I didn't managed to use
- ;; "inherit"
- (let ((program-name (setuid-program-program program))
- (setuid? (setuid-program-setuid? program))
- (setgid? (setuid-program-setgid? program))
- (user (setuid-program-user program))
- (group (setuid-program-group program)) )
- #~(setuid-program
- (setuid? #$setuid?)
- (setgid? #$setgid?)
- (user #$user)
- (group #$group)
- (program #$program-name))))
- programs)))
- (with-imported-modules (source-module-closure
- '((gnu system setuid)))
- #~(begin
- (use-modules (gnu system setuid))
-
- (activate-setuid-programs (list #$@programs))))))
-
-(define setuid-program-service-type
- (service-type (name 'setuid-program)
- (extensions
- (list (service-extension activation-service-type
- setuid-program->activation-gexp)))
- (compose concatenate)
- (extend (lambda (config extensions)
- (append config extensions)))
- (description
- "Populate @file{/run/setuid-programs} with the specified
-executables, making them setuid and/or setgid.")))
+(define-deprecated/public-alias setuid-program-service-type
+ (@ (gnu services setuid) setuid-program-service-type))
(define (packages->profile-entry packages)
"Return a system entry for the profile containing PACKAGES."
diff --git a/gnu/services/dbus.scm b/gnu/services/dbus.scm
index e9c9346f56..dd9f0122b1 100644
--- a/gnu/services/dbus.scm
+++ b/gnu/services/dbus.scm
@@ -21,6 +21,7 @@
(define-module (gnu services dbus)
#:use-module (gnu services)
+ #:use-module (gnu services setuid)
#:use-module (gnu services shepherd)
#:use-module (gnu system setuid)
#:use-module (gnu system shadow)
diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
index adea5b38dd..1ff7abd61e 100644
--- a/gnu/services/desktop.scm
+++ b/gnu/services/desktop.scm
@@ -33,6 +33,7 @@
(define-module (gnu services desktop)
#:use-module (gnu services)
+ #:use-module (gnu services setuid)
#:use-module (gnu services shepherd)
#:use-module (gnu services base)
#:use-module (gnu services dbus)
diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm
index 741bab5a8c..32ed9739bf 100644
--- a/gnu/services/docker.scm
+++ b/gnu/services/docker.scm
@@ -26,6 +26,7 @@ (define-module (gnu services docker)
#:use-module (gnu services configuration)
#:use-module (gnu services base)
#:use-module (gnu services dbus)
+ #:use-module (gnu services setuid)
#:use-module (gnu services shepherd)
#:use-module (gnu system setuid)
#:use-module (gnu system shadow)
diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm
index bf4948dcfb..d6e35a07f8 100644
--- a/gnu/services/mail.scm
+++ b/gnu/services/mail.scm
@@ -27,6 +27,7 @@ (define-module (gnu services mail)
#:use-module (gnu services)
#:use-module (gnu services base)
#:use-module (gnu services configuration)
+ #:use-module (gnu services setuid)
#:use-module (gnu services shepherd)
#:use-module (gnu system pam)
#:use-module (gnu system shadow)
diff --git a/gnu/services/setuid.scm b/gnu/services/setuid.scm
new file mode 100644
index 0000000000..4e46510733
--- /dev/null
+++ b/gnu/services/setuid.scm
@@ -0,0 +1,53 @@
+(define-module (gnu services setuid)
+ #:use-module (gnu services)
+ #:use-module (gnu services shepherd)
+ #:use-module (gnu system setuid)
+ #:use-module (guix gexp)
+ #:use-module (guix modules)
+ #:use-module (srfi srfi-1)
+ #:export (setuid-program-service-type))
+
+(define (setuid-programs->shepherd-service programs)
+ (let ((programs (map (lambda (program)
+ ;; FIXME This is really ugly, I didn't managed to use
+ ;; "inherit"
+ (let ((program-name (setuid-program-program program))
+ (setuid? (setuid-program-setuid? program))
+ (setgid? (setuid-program-setgid? program))
+ (user (setuid-program-user program))
+ (group (setuid-program-group program)) )
+ #~(setuid-program
+ (setuid? #$setuid?)
+ (setgid? #$setgid?)
+ (user #$user)
+ (group #$group)
+ (program #$program-name))))
+ programs)))
+ (with-imported-modules (source-module-closure
+ '((gnu system setuid)
+ (gnu build activation)))
+ (list (shepherd-service
+ (documentation "Populate @file{/run/setuid-programs}.")
+ (provision '(setuid-programs))
+ ;; TODO: actually need to require account service. maybe user-homes
+ ;; as a proxy?
+ (requirement '(file-systems))
+ (one-shot? #t)
+ (modules '((gnu system setuid)
+ (gnu build activation)))
+ (start #~(lambda ()
+ (activate-setuid-programs (list #$@programs))
+ #t)))))))
+
+(define setuid-program-service-type
+ (service-type (name 'setuid-program)
+ (extensions
+ (list
+ (service-extension shepherd-root-service-type
+ setuid-programs->shepherd-service)))
+ (compose concatenate)
+ (extend append)
+ (default-value '())
+ (description
+ "Populate @file{/run/setuid-programs} with the specified
+executables, making them setuid and/or setgid.")))
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index 7295a45b59..9ed1977f66 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -34,6 +34,7 @@ (define-module (gnu services xorg)
#:use-module (gnu artwork)
#:use-module (gnu services)
#:use-module (gnu services configuration)
+ #:use-module (gnu services setuid)
#:use-module (gnu services shepherd)
#:use-module (gnu system pam)
#:use-module (gnu system setuid)
diff --git a/gnu/system.scm b/gnu/system.scm
index c17c6e4e98..8faa3b4672 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -67,6 +67,7 @@ (define-module (gnu system)
#:use-module (gnu packages text-editors)
#:use-module (gnu packages wget)
#:use-module (gnu services)
+ #:use-module (gnu services setuid)
#:use-module (gnu services shepherd)
#:use-module (gnu services base)
#:use-module (gnu bootloader)
--
2.39.2
Received: (at control) by debbugs.gnu.org; 8 Apr 2023 16:57:07 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Apr 08 12:57:07 2023 Received: from localhost ([127.0.0.1]:59404 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1plBsB-0001CY-23 for submit <at> debbugs.gnu.org; Sat, 08 Apr 2023 12:57:07 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:43331) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <leo@HIDDEN>) id 1plBs8-0001C2-N1 for control <at> debbugs.gnu.org; Sat, 08 Apr 2023 12:57:05 -0400 Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 5C4635C00A8; Sat, 8 Apr 2023 12:56:59 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Sat, 08 Apr 2023 12:56:59 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:content-type:date:date:from:from:in-reply-to :message-id:mime-version:reply-to:sender:subject:to:to; s= mesmtp; t=1680973019; x=1681059419; bh=Z1XD9tsgNYZeYYZm7J/Yxl1RA h7snzrwxP/aL3XguK4=; b=CeqdeqeHUzJuDlBAQ10j3CFLu4/iscDyo8/7TfrWv +g+saR5B9DdfrN45ilbQ5g+57HMnyF1SAh70QrpoqskKicuVh+CSojk9ScJ7Q/JB rX9fMue7AsyRp11tZ5Jlc9SZzFgsCn9R7UUUHbcW2Z938IPPeZdEzs/C746ZWEEb 68= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:message-id :mime-version:reply-to:sender:subject:to:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t= 1680973019; x=1681059419; bh=Z1XD9tsgNYZeYYZm7J/Yxl1RAh7snzrwxP/ aL3XguK4=; b=FU7IUdL4SG5SbR1hTavReH0t/14dZxkk0yp1KHwTquKQRJnvFcp 5JCiDUHXoFnjOIklvubqlUr8XjuNTievPLkH88mCE4u/nt+SpKqBdz7ZBot+Lqs1 0Oyd/rEYK8OHrLwoM69YuhjCooq2upoQX3zPaVE1Ar4OyMZVNCp8yFDIfXhvkI+x b1uUKbCmpw7iGPIMMTsGjux6EUlUk5QdVKxg4HD8dAcxGpAkLDSGqkzN9KNaPfVB pH5Fvm1KK8q8+eMSfSEmDHICfmxeNyxCzwweWlGgvbja1SsmE+5Tf/mlJRGZkVs6 lkRauRJeC0OZMucq1luEfW7WHLR1UnS6YeA== X-ME-Sender: <xms:25wxZPhcqOuirquzOjJgK9SKVZTqTmLL6SlUIBvMqftHt_3hs3nWdQ> <xme:25wxZMCBzKaPUvaz9Xyxldoa4vO7YBVvmcM4ysAbw3rMymzu87x_hPOZGKb9eEUkY oSMM4iRfRFY5wIiBg> X-ME-Received: <xmr:25wxZPEWBtZsoYOtTRYjMqHSLsuvSnAMbN6a72pcWBaUEANo3i1GbkdTCJeeJooYatDxMVzBeVJXq-4bBeH2eyXf> X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrvdejjedguddtkecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecugfhmphhthicushhusghjvggtthculddutddmne cujfgurhepfffhvffkgggtugesthdtredttddtvdenucfhrhhomhepnfgvohcuhfgrmhhu lhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuggftrfgrthhtvghrnh ephfejiefgfeevvdefteehgeeltdekvedutdegtdduieetheetgedvfeffudfffeffnecu vehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfh grmhhulhgrrhhirdhnrghmvg X-ME-Proxy: <xmx:25wxZMS2QwLO4C5ST5LGuWUHSRSmO-0GcVB-zCpsmqSCdetMDIli3g> <xmx:25wxZMyt_H1gh3rlCdlt4qjpvOaGlK9HHkHtaw1ac6wzzl08YBqjfQ> <xmx:25wxZC7ksUkQDYsXmoIevXIzhWsecQeK-Z8sLbHIJp7urp10QtBR_A> <xmx:25wxZJssd_Vf4yMUB-U2emzC_mvB6-MK1VFtC0l9mRi8jkBpAxiVbg> Feedback-ID: i819c4023:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA for <control <at> debbugs.gnu.org>; Sat, 8 Apr 2023 12:56:58 -0400 (EDT) Date: Sat, 8 Apr 2023 12:56:43 -0400 From: Leo Famulari <leo@HIDDEN> To: control <at> debbugs.gnu.org Message-ID: <ZDGcy6RNtaSIyPQT@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: block 62725 with 62726 Content analysis details: (1.3 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [66.111.4.28 listed in list.dnswl.org] 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [66.111.4.28 listed in wl.mailspike.net] 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 1.8 MISSING_SUBJECT Missing Subject: header 0.2 NO_SUBJECT Extra score for no subject X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: 0.3 (/) block 62725 with 62726
Received: (at control) by debbugs.gnu.org; 8 Apr 2023 19:43:35 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Apr 08 15:43:35 2023 Received: from localhost ([127.0.0.1]:59616 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1plETG-0008NG-S0 for submit <at> debbugs.gnu.org; Sat, 08 Apr 2023 15:43:35 -0400 Received: from coleridge.kublai.com ([166.84.7.167]:58352 helo=mail.spork.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <bjc@HIDDEN>) id 1plETF-0008N5-2V for control <at> debbugs.gnu.org; Sat, 08 Apr 2023 15:43:33 -0400 Received: from psyduck (ool-18b8e9e7.dyn.optonline.net [24.184.233.231]) by mail.spork.org (Postfix) with ESMTPSA id A5555A8FC for <control <at> debbugs.gnu.org>; Sat, 8 Apr 2023 15:43:32 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=spork.org; s=dkim; t=1680983012; bh=RxbVyqvFW2FCrME5WIJ1HptAknsISdizhh6YXB0veEY=; h=Date:To:From:Subject; b=JC1PilkMtZpiDUpTFaMNo2U9dPhitkME/kyvqtM0T53tqOW6m+e2+7PQjGr3ooEtf 34RzqOCuv4yvTYZKYGBqUbzOliTtaLNnPBb5FYrodvVrIp/gZVUBkizuc/0DVLGMKY iL/MLQsI++vYVCSnR5wzq6tZmYPLJOyBZnIJfcFs= Date: Sat, 08 Apr 2023 15:43:30 -0400 Message-Id: <87y1n22m8t.fsf@HIDDEN> To: control <at> debbugs.gnu.org From: Brian Cully <bjc@HIDDEN> Subject: control message for bug #62726 X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) retitle 62726 [PATCH] services: Activate `setuid-program-service-type' in shepherd. quit
X-Loop: help-debbugs@HIDDEN
Subject: [bug#62726] [PATCH] services: Activate `setuid-program-service-type' in shepherd.
Resent-From: Brian Cully <bjc@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Wed, 07 Jun 2023 12:59:01 +0000
Resent-Message-ID: <handler.62726.B62726.168614271925382 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 62726
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords:
To: 62726 <at> debbugs.gnu.org
Received: via spool by 62726-submit <at> debbugs.gnu.org id=B62726.168614271925382
(code B ref 62726); Wed, 07 Jun 2023 12:59:01 +0000
Received: (at 62726) by debbugs.gnu.org; 7 Jun 2023 12:58:39 +0000
Received: from localhost ([127.0.0.1]:53753 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1q6skI-0006bK-TU
for submit <at> debbugs.gnu.org; Wed, 07 Jun 2023 08:58:39 -0400
Received: from coleridge.kublai.com ([166.84.7.167]:57387 helo=mail.spork.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <bjc@HIDDEN>) id 1q6skH-0006bD-LL
for 62726 <at> debbugs.gnu.org; Wed, 07 Jun 2023 08:58:38 -0400
Received: from psyduck (unknown [24.184.233.231])
by mail.spork.org (Postfix) with ESMTPSA id 39CB4DA86
for <62726 <at> debbugs.gnu.org>; Wed, 7 Jun 2023 08:58:37 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=spork.org; s=dkim;
t=1686142717; bh=+buRmY39DNXyxDlBgP020I4kdb/bvX6g7hZEbbeojqQ=;
h=From:To:Subject:In-Reply-To:References:Date;
b=Kn5qZ0362VJpjt2NQIfRyzaSa0hp0wxU8BAz71CMTDoBeNevmYujF6VMNVRtPeW/S
+fdnVOxDQszVRF96tg9rlm0zpT15WLLT2nOIEZB0ttnP2L3ATpLgZyvwx3xn7acK75
/ctpDh16vsnYIAK5xBFDUN8wJbA6DKesKsH5dxgU=
From: Brian Cully <bjc@HIDDEN>
In-Reply-To: <c8454cf94417a48931f2583c9af14df83820d354.1680966995.git.bjc@HIDDEN>
(Brian Cully's message of "Sat, 8 Apr 2023 11:16:35 -0400")
References: <874jpq4dfi.fsf@HIDDEN>
<c8454cf94417a48931f2583c9af14df83820d354.1680966995.git.bjc@HIDDEN>
Date: Wed, 07 Jun 2023 08:58:16 -0400
Message-ID: <874jnja0pj.fsf_-_@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
I've made some changes to this patch to address some issues:
1) I've added =E2=80=98setuid-programs=E2=80=99 as a requirement to various=
Shepherd
services which need it, such as dbus and pam. I've also added it to
=E2=80=98user-processes=E2=80=99 as a requirement to catch things we don't =
specify
explicitly.
2) I've removed (@ (gnu services) setuid-programs), rather than marking
it deprecated. Since the variable name (setuid-programs-service-type)
hasn't changed, normal deprecation doesn't work anyway, and just leads
to annoying double-import warnings.
This probably deserves an entry in =E2=80=98guix pull --news=E2=80=99, beca=
use, as a
Shepherd service it can now be used by other Shepherd services, and the
module path has changed, which will cause errors for existing system
configurations which use =E2=80=98setuid-programs-service-type=E2=80=99. I'=
m not sure
the best way to go about adding it, though, or if I should let a
committer do it.
X-Loop: help-debbugs@HIDDEN
Subject: [bug#62726] [PATCH v2] services: Activate `setuid-program-service-type' in shepherd.
References: <874jpq4dfi.fsf@HIDDEN>
In-Reply-To: <874jpq4dfi.fsf@HIDDEN>
Resent-From: Brian Cully <bjc@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Wed, 07 Jun 2023 13:00:02 +0000
Resent-Message-ID: <handler.62726.B62726.168614276925531 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 62726
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords:
To: 62726 <at> debbugs.gnu.org
Cc: Brian Cully <bjc@HIDDEN>
Received: via spool by 62726-submit <at> debbugs.gnu.org id=B62726.168614276925531
(code B ref 62726); Wed, 07 Jun 2023 13:00:02 +0000
Received: (at 62726) by debbugs.gnu.org; 7 Jun 2023 12:59:29 +0000
Received: from localhost ([127.0.0.1]:53767 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1q6sl6-0006di-W5
for submit <at> debbugs.gnu.org; Wed, 07 Jun 2023 08:59:29 -0400
Received: from coleridge.kublai.com ([166.84.7.167]:56822 helo=mail.spork.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <bjc@HIDDEN>) id 1q6sl4-0006da-Nu
for 62726 <at> debbugs.gnu.org; Wed, 07 Jun 2023 08:59:27 -0400
Received: from psyduck.jhoto.kublai.com (ool-18b8e9e7.dyn.optonline.net
[24.184.233.231])
by mail.spork.org (Postfix) with ESMTPSA id 83777DA87;
Wed, 7 Jun 2023 08:59:26 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=spork.org; s=dkim;
t=1686142766; bh=+9Ba3SEINZ6TY19V/+omwD+BFQKankAhEi7CXqDu1z8=;
h=From:To:Cc:Subject:Date;
b=ibW0XuklNoXa15IPlV0yW0w654bfC9P0Illu4Pk9BUyS8MN1+muJeyaS5giq3Qk1x
ZaKAUhtDbnB1DVWBRbe6Mq7STKZb/T2qOvQN8duQdDTU9RrvY+tsHo+x1Kvj0ZzrIx
G9ihnjBZKc/GlOULdpO/8SfqwDeEfSBTaLPyAw3g=
From: Brian Cully <bjc@HIDDEN>
Date: Wed, 7 Jun 2023 08:59:17 -0400
Message-Id: <be028df8c5863da26b4818fdc1e27511b8b33b89.1686142757.git.bjc@HIDDEN>
X-Mailer: git-send-email 2.40.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Activate using a one-shot Shepherd service on boot, rather than attaching to
ACTIVATION-SERVICE-TYPE to populate `/run/setuid-programs'.
In order to prevent a dependency cycle between (gnu services) and (gnu
services shepherd), introduce a new module (gnu services setuid) and deprecate
the import of `setuid-program-service-type' from (gnu services).
Add the new SETUID-PROGRAMS Shepherd service to the extant Shepherd services
which need it, as well as USER-PROCESSES as a catch for things started later.
* gnu/local.mk (GNU_SYSTEM_MODULES): add setuid.scm.
* gnu/services.scm (setuid-program-service-type): removed.
* gnu/services/setuid.scm: new module.
* gnu/services/dbus.scm (gnu): import (gnu services setuid).
(dbus-shepherd-service): require SETUID-PROGRAMS.
* gnu/services/desktop.scm (gnu): import (gnu services setuid).
* gnu/services/docker.scm (gnu): import (gnu services setuid).
* gnu/services/mail.scm (gnu): import (gnu services setuid).
(<opensmtpd-configuration>): require SETUID-PROGRAMS.
* gnu/services/xorg.scm (gnu): import (gnu services setuid).
* gnu/system.scm (gnu): import (gnu services setuid).
* gnu/system/pam.scm (gnu): import (gnu services setuid).
(pam-root-service): require SETUID-PROGRAMS by default.
---
gnu/local.mk | 1 +
gnu/services.scm | 38 ---------------------------
gnu/services/dbus.scm | 3 ++-
gnu/services/desktop.scm | 1 +
gnu/services/docker.scm | 1 +
gnu/services/mail.scm | 3 ++-
gnu/services/setuid.scm | 57 ++++++++++++++++++++++++++++++++++++++++
gnu/services/xorg.scm | 1 +
gnu/system.scm | 1 +
gnu/system/pam.scm | 5 +++-
10 files changed, 70 insertions(+), 41 deletions(-)
create mode 100644 gnu/services/setuid.scm
diff --git a/gnu/local.mk b/gnu/local.mk
index 9adf593318..6f9013056c 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -708,6 +708,7 @@ GNU_SYSTEM_MODULES = \
%D%/services/rsync.scm \
%D%/services/samba.scm \
%D%/services/sddm.scm \
+ %D%/services/setuid.scm \
%D%/services/spice.scm \
%D%/services/ssh.scm \
%D%/services/syncthing.scm \
diff --git a/gnu/services.scm b/gnu/services.scm
index a990d297c9..a17f7dcee1 100644
--- a/gnu/services.scm
+++ b/gnu/services.scm
@@ -44,7 +44,6 @@ (define-module (gnu services)
#:use-module (gnu packages base)
#:use-module (gnu packages bash)
#:use-module (gnu packages hurd)
- #:use-module (gnu system setuid)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-9)
#:use-module (srfi srfi-9 gnu)
@@ -111,7 +110,6 @@ (define-module (gnu services)
extra-special-file
etc-service-type
etc-directory
- setuid-program-service-type
profile-service-type
firmware-service-type
gc-root-service-type
@@ -828,42 +826,6 @@ (define-deprecated (etc-service files)
FILES must be a list of name/file-like object pairs."
(service etc-service-type files))
-(define (setuid-program->activation-gexp programs)
- "Return an activation gexp for setuid-program from PROGRAMS."
- (let ((programs (map (lambda (program)
- ;; FIXME This is really ugly, I didn't managed to use
- ;; "inherit"
- (let ((program-name (setuid-program-program program))
- (setuid? (setuid-program-setuid? program))
- (setgid? (setuid-program-setgid? program))
- (user (setuid-program-user program))
- (group (setuid-program-group program)) )
- #~(setuid-program
- (setuid? #$setuid?)
- (setgid? #$setgid?)
- (user #$user)
- (group #$group)
- (program #$program-name))))
- programs)))
- (with-imported-modules (source-module-closure
- '((gnu system setuid)))
- #~(begin
- (use-modules (gnu system setuid))
-
- (activate-setuid-programs (list #$@programs))))))
-
-(define setuid-program-service-type
- (service-type (name 'setuid-program)
- (extensions
- (list (service-extension activation-service-type
- setuid-program->activation-gexp)))
- (compose concatenate)
- (extend (lambda (config extensions)
- (append config extensions)))
- (description
- "Populate @file{/run/setuid-programs} with the specified
-executables, making them setuid and/or setgid.")))
-
(define (packages->profile-entry packages)
"Return a system entry for the profile containing PACKAGES."
;; XXX: 'mlet' is needed here for one reason: to get the proper
diff --git a/gnu/services/dbus.scm b/gnu/services/dbus.scm
index 5a0c634393..7f0deaa037 100644
--- a/gnu/services/dbus.scm
+++ b/gnu/services/dbus.scm
@@ -21,6 +21,7 @@
(define-module (gnu services dbus)
#:use-module (gnu services)
+ #:use-module (gnu services setuid)
#:use-module (gnu services shepherd)
#:use-module (gnu system setuid)
#:use-module (gnu system shadow)
@@ -200,7 +201,7 @@ (define dbus-shepherd-service
(list (shepherd-service
(documentation "Run the D-Bus system daemon.")
(provision '(dbus-system))
- (requirement '(user-processes syslogd))
+ (requirement '(user-processes syslogd setuid-programs))
(start #~(make-forkexec-constructor
(list (string-append #$dbus "/bin/dbus-daemon")
"--nofork" "--system" "--syslog-only")
diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
index a63748b652..f7a601ed47 100644
--- a/gnu/services/desktop.scm
+++ b/gnu/services/desktop.scm
@@ -33,6 +33,7 @@
(define-module (gnu services desktop)
#:use-module (gnu services)
+ #:use-module (gnu services setuid)
#:use-module (gnu services shepherd)
#:use-module (gnu services base)
#:use-module (gnu services dbus)
diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm
index 741bab5a8c..32ed9739bf 100644
--- a/gnu/services/docker.scm
+++ b/gnu/services/docker.scm
@@ -26,6 +26,7 @@ (define-module (gnu services docker)
#:use-module (gnu services configuration)
#:use-module (gnu services base)
#:use-module (gnu services dbus)
+ #:use-module (gnu services setuid)
#:use-module (gnu services shepherd)
#:use-module (gnu system setuid)
#:use-module (gnu system shadow)
diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm
index 12dcc8e71d..3b001e091a 100644
--- a/gnu/services/mail.scm
+++ b/gnu/services/mail.scm
@@ -27,6 +27,7 @@ (define-module (gnu services mail)
#:use-module (gnu services)
#:use-module (gnu services base)
#:use-module (gnu services configuration)
+ #:use-module (gnu services setuid)
#:use-module (gnu services shepherd)
#:use-module (gnu system pam)
#:use-module (gnu system shadow)
@@ -1655,7 +1656,7 @@ (define-record-type* <opensmtpd-configuration>
(package opensmtpd-configuration-package
(default opensmtpd))
(shepherd-requirement opensmtpd-configuration-shepherd-requirement
- (default '())) ; list of symbols
+ (default '(setuid-programs))) ; list of symbols
(config-file opensmtpd-configuration-config-file
(default %default-opensmtpd-config-file))
(setgid-commands? opensmtpd-setgid-commands? (default #t)))
diff --git a/gnu/services/setuid.scm b/gnu/services/setuid.scm
new file mode 100644
index 0000000000..00319aabdc
--- /dev/null
+++ b/gnu/services/setuid.scm
@@ -0,0 +1,57 @@
+(define-module (gnu services setuid)
+ #:use-module (gnu services)
+ #:use-module (gnu services shepherd)
+ #:use-module (gnu system setuid)
+ #:use-module (guix gexp)
+ #:use-module (guix modules)
+ #:use-module (srfi srfi-1)
+ #:export (setuid-program-service-type))
+
+(define (setuid-programs->shepherd-service programs)
+ (let ((programs (map (lambda (program)
+ ;; FIXME This is really ugly, I didn't managed to use
+ ;; "inherit"
+ (let ((program-name (setuid-program-program program))
+ (setuid? (setuid-program-setuid? program))
+ (setgid? (setuid-program-setgid? program))
+ (user (setuid-program-user program))
+ (group (setuid-program-group program)) )
+ #~(setuid-program
+ (setuid? #$setuid?)
+ (setgid? #$setgid?)
+ (user #$user)
+ (group #$group)
+ (program #$program-name))))
+ programs)))
+ (with-imported-modules (source-module-closure
+ '((gnu system setuid)
+ (gnu build activation)))
+ (list (shepherd-service
+ (documentation "Populate @file{/run/setuid-programs}.")
+ (provision '(setuid-programs))
+ ;; TODO: actually need to require account service. maybe user-homes
+ ;; as a proxy?
+ (requirement '(file-systems))
+ (one-shot? #t)
+ (modules '((gnu system setuid)
+ (gnu build activation)))
+ (start #~(lambda ()
+ (activate-setuid-programs (list #$@programs))
+ #t)))))))
+
+(define setuid-program-service-type
+ (service-type (name 'setuid-program)
+ (extensions
+ (list
+ (service-extension shepherd-root-service-type
+ setuid-programs->shepherd-service)
+ ;; Ensure that setuid programs are set up by the time they
+ ;; might be needed by user-configured processes and daemons.
+ (service-extension user-processes-service-type
+ (const '(setuid-programs)))))
+ (compose concatenate)
+ (extend append)
+ (default-value '())
+ (description
+ "Populate @file{/run/setuid-programs} with the specified
+executables, making them setuid and/or setgid.")))
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index f8cf9f25b6..efcaa52754 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -35,6 +35,7 @@ (define-module (gnu services xorg)
#:use-module (gnu artwork)
#:use-module (gnu services)
#:use-module (gnu services configuration)
+ #:use-module (gnu services setuid)
#:use-module (gnu services shepherd)
#:use-module (gnu system pam)
#:use-module (gnu system setuid)
diff --git a/gnu/system.scm b/gnu/system.scm
index 354f58f55b..5f834dd8b6 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -67,6 +67,7 @@ (define-module (gnu system)
#:use-module (gnu packages text-editors)
#:use-module (gnu packages wget)
#:use-module (gnu services)
+ #:use-module (gnu services setuid)
#:use-module (gnu services shepherd)
#:use-module (gnu services base)
#:use-module (gnu bootloader)
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index a035a92e25..4c62e130de 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -24,6 +24,7 @@ (define-module (gnu system pam)
#:use-module (guix gexp)
#:use-module (guix i18n)
#:use-module (gnu services)
+ #:use-module (gnu services setuid)
#:use-module (gnu services shepherd)
#:use-module (gnu system setuid)
#:use-module (ice-9 match)
@@ -443,7 +444,9 @@ (define pam-root-service-type
program may authenticate users or what it should do when opening a new
session.")))
-(define* (pam-root-service base #:key (transformers '()) (shepherd-requirements '()))
+(define* (pam-root-service base
+ #:key (transformers '())
+ (shepherd-requirements '(setuid-programs)))
"The \"root\" PAM service, which collects <pam-service> instance and turns
them into a /etc/pam.d directory, including the <pam-service> listed in BASE.
TRANSFORM is a procedure that takes a <pam-service> and returns a
base-commit: 940665301de4effd065d24c167f619286f2adf4c
--
2.40.1
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.