GNU bug report logs -
#41763
services: opensmtpd: Fix the setgid problem for the smtpctl utility.
Previous Next
Reported by: maxim.cournoyer <at> gmail.com
Date: Mon, 8 Jun 2020 17:47:01 UTC
Severity: normal
Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 41763 in the body.
You can then email your comments to 41763 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#41763; Package
guix-patches.
(Mon, 08 Jun 2020 17:47:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
maxim.cournoyer <at> gmail.com:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Mon, 08 Jun 2020 17:47:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hello!
The following patches provide a mean to specify a user and group for a
setuid program, and uses that to fix a setgid permission issue in the
context of the opensmtpd service.
Christopher, you should be able to leverage this new facility to
configure the uid/gid of the sendmail program to that of the smtpq user,
like this:
--8<---------------cut here---------------start------------->8---
(operating-system)
[...]
(setuid-programs (cons (list (file-append sendmail "/usr/sbin/sendmail") "smtpq")
%setuid-programs))
--8<---------------cut here---------------end--------------->8---
The smtpq user is created as part of the OpenSMTPD service definition.
Thank you,
[0001-services-Allow-configuring-the-ownership-of-setuid-p.patch (text/x-patch, attachment)]
[0002-services-opensmtpd-Remove-unused-binding.patch (text/x-patch, attachment)]
[0003-services-opensmtpd-Fix-the-setgid-problem-for-the-sm.patch (text/x-patch, attachment)]
[Message part 5 (text/plain, inline)]
Maxim
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#41763; Package
guix-patches.
(Thu, 11 Jun 2020 19:21:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 41763 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
maxim.cournoyer <at> gmail.com writes:
> The following patches provide a mean to specify a user and group for a
> setuid program, and uses that to fix a setgid permission issue in the
> context of the opensmtpd service.
>
> Christopher, you should be able to leverage this new facility to
> configure the uid/gid of the sendmail program to that of the smtpq user,
> like this:
>
> --8<---------------cut here---------------start------------->8---
> (operating-system)
> [...]
> (setuid-programs (cons (list (file-append sendmail "/usr/sbin/sendmail") "smtpq")
> %setuid-programs))
> --8<---------------cut here---------------end--------------->8---
>
> The smtpq user is created as part of the OpenSMTPD service definition.
>
> Thank you,
>
>
> Maxim
Well, thank you for looking in to this Maxim. I've had a brief look
through the patches, although I don't know enough about this area to
comment properly on them.
I wonder if it's worth using a record type to make it possible to pass
the user and group values to the service. That would probably result in
more readable configuration than just using a list of varying length.
Specifically on the diff:
- (list #$@programs))))))
+ (quote (#$@programs)))))))
This change here will mean that you can't pass some values in, as they
won't be evaluated. #~(string-append sendmail "/usr/sbin/sendmail")
would no longer work for example.
Thanks again,
Chris
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#41763; Package
guix-patches.
(Mon, 15 Jun 2020 15:13:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 41763 <at> debbugs.gnu.org (full text, mbox):
Hello Maxim,
Thank you for the patchset!
maxim.cournoyer <at> gmail.com writes:
> The following patches provide a mean to specify a user and group for a
> setuid program, and uses that to fix a setgid permission issue in the
> context of the opensmtpd service.
I applied it to try to use wireshark as non-root[0]:
--8<---------------cut here---------------start------------->8---
(simple-service 'wireshark-group account-service-type
(list (user-group (name "wireshark") (system? #t))))
(simple-service 'wireshark-dumpcap setuid-program-service-type
(list (list (file-append wireshark "/bin/dumpcap")
"root" "wireshark")))
--8<---------------cut here---------------end--------------->8---
And unfortunately the first run of “guix reconfigure“ failed to make
“dumpcap“ as a setuid, but subsequent run succeeded:
--8<---------------cut here---------------start------------->8---
[…]
setting up setuid programs in '/run/setuid-programs'...
warning: failed to make '/gnu/store/vdlk9rli5k5svy8p7bhf90ln03ybnxgj-wireshark-3.2.4/bin/dumpcap' setuid (root:wireshark): Success
populating /etc from /gnu/store/hxjyvg80zjaxfynjyk3jgqsn9249azmx-etc...
[…]
--8<---------------cut here---------------end--------------->8---
I guess it's because at first there wasn't a wireshark group on my
system, adding the group and the setuid program was done in the same
run, but “setting up setuid programs” is done before “populating /etc”
(comprising /etc/passwd) which in effect ended up trying to setuid
“dumpcap“ before the “wireshark“ group exists. And subsequent runs
succeeded creating a setuid “dumpcap” because the new group was already
on the system, it was created during the first run.
Populating /etc before setting up /run/setuid-programs should fix that
issue but maybe there is reason behind the current order of execution.
> Christopher, you should be able to leverage this new facility to
> configure the uid/gid of the sendmail program to that of the smtpq user,
> like this:
>
> (operating-system)
> [...]
> (setuid-programs (cons (list (file-append sendmail "/usr/sbin/sendmail") "smtpq")
> %setuid-programs))
>
Aside from that I wonder if specifying user and group in a list is
future proof, maybe using a record would be more Guixy. In particular I
would like to be able to set capabilities (as with “setcap“) on binaries
since the store don't support it[1]; if that's even possible but it's an
other issue.
[0]: https://wiki.wireshark.org/CaptureSetup/CapturePrivileges#Most_UNIXes
[1]: https://lists.gnu.org/archive/html/help-guix/2016-11/msg00046.html
- Brice
Added indication that bug 41763 blocks41874
Request was from
Brice Waegeneire <brice <at> waegenei.re>
to
control <at> debbugs.gnu.org.
(Sun, 05 Jul 2020 11:48:01 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#41763; Package
guix-patches.
(Sun, 03 Jan 2021 14:15:02 GMT)
Full text and
rfc822 format available.
Message #16 received at 41763 <at> debbugs.gnu.org (full text, mbox):
It's http://issues.guix.gnu.org/41763.
What does us block from merging this? It hits me hard when using OpenSMTPD.
Information forwarded
to
guix-patches <at> gnu.org:
bug#41763; Package
guix-patches.
(Sun, 03 Jan 2021 14:51:02 GMT)
Full text and
rfc822 format available.
Message #19 received at 41763 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Jonathan Brielmaier 写道:
> What does us block from merging this?
Reading [0], Chris & Brice bring up two good points that I don't
see addressed: using a record instead of a list & not breaking
gexps, although fixing one would probably moot the other.
Kind regards,
T G-R
[0]: http://issues.guix.gnu.org/41763
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
You have taken responsibility.
(Fri, 16 Jul 2021 04:25:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
maxim.cournoyer <at> gmail.com:
bug acknowledged by developer.
(Fri, 16 Jul 2021 04:25:02 GMT)
Full text and
rfc822 format available.
Message #24 received at 41763-done <at> debbugs.gnu.org (full text, mbox):
Hello,
Tobias Geerinckx-Rice <me <at> tobias.gr> writes:
> Jonathan Brielmaier 写道:
>> What does us block from merging this?
>
> Reading [0], Chris & Brice bring up two good points that I don't see
> addressed: using a record instead of a list & not breaking gexps,
> although fixing one would probably moot the other.
>
> Kind regards,
>
> T G-R
>
> [0]: http://issues.guix.gnu.org/41763
Closing in favor of https://issues.guix.gnu.org/44700.
Thanks,
Maxim
Information forwarded
to
guix-patches <at> gnu.org:
bug#41763; Package
guix-patches.
(Fri, 16 Jul 2021 05:38:01 GMT)
Full text and
rfc822 format available.
Message #27 received at 41763 <at> debbugs.gnu.org (full text, mbox):
> Closing in favor of https://issues.guix.gnu.org/44700.
Yes please. Thanks.
T G-R
Sent from a Web browser. Excuse or enjoy my brevity.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Fri, 13 Aug 2021 11:24:08 GMT)
Full text and
rfc822 format available.
This bug report was last modified 3 years and 313 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.