From unknown Sun Jun 15 08:37:06 2025 X-Loop: help-debbugs@gnu.org Subject: bug#44770: chown: warn about the dot when encountering it Resent-From: =?UTF-8?Q?=E7=A9=8D=E4=B8=B9=E5=B0=BC?= Dan Jacobson Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Fri, 20 Nov 2020 21:19:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 44770 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: 44770@debbugs.gnu.org X-Debbugs-Original-To: bug-coreutils@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.160590709126159 (code B ref -1); Fri, 20 Nov 2020 21:19:02 +0000 Received: (at submit) by debbugs.gnu.org; 20 Nov 2020 21:18:11 +0000 Received: from localhost ([127.0.0.1]:44408 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kgDnG-0006nr-Kl for submit@debbugs.gnu.org; Fri, 20 Nov 2020 16:18:10 -0500 Received: from lists.gnu.org ([209.51.188.17]:48624) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kgDnF-0006nk-OQ for submit@debbugs.gnu.org; Fri, 20 Nov 2020 16:18:10 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:43544) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kgDnF-0003my-GO for bug-coreutils@gnu.org; Fri, 20 Nov 2020 16:18:09 -0500 Received: from cyan.elm.relay.mailchannels.net ([23.83.212.47]:8873) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kgDnD-0006a4-0n for bug-coreutils@gnu.org; Fri, 20 Nov 2020 16:18:09 -0500 X-Sender-Id: dreamhost|x-authsender|jidanni@jidanni.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 778CE780101 for ; Fri, 20 Nov 2020 21:17:54 +0000 (UTC) Received: from pdx1-sub0-mail-a45.g.dreamhost.com (100-96-5-201.trex.outbound.svc.cluster.local [100.96.5.201]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 0B3917800C6 for ; Fri, 20 Nov 2020 21:17:54 +0000 (UTC) X-Sender-Id: dreamhost|x-authsender|jidanni@jidanni.org Received: from pdx1-sub0-mail-a45.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.18.10); Fri, 20 Nov 2020 21:17:54 +0000 X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|jidanni@jidanni.org X-MailChannels-Auth-Id: dreamhost X-Soft-Madly: 0ac6f0c46bec963c_1605907074270_3969293261 X-MC-Loop-Signature: 1605907074270:870514291 X-MC-Ingress-Time: 1605907074270 Received: from pdx1-sub0-mail-a45.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a45.g.dreamhost.com (Postfix) with ESMTP id BC1827F05A for ; Fri, 20 Nov 2020 13:17:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=jidanni.org; h=from:to :subject:date:message-id:mime-version:content-type; s= jidanni.org; bh=ILQ6JWKuKGMYbvp8qaEY76d70wk=; b=o6LF+6z2mzmzM0Ih Ke8KgzRI4+HHbC6jUQo9hTiMM0q1mCwwMk+D/r7clBUV/RtF+EnY0t1wYNulXtPP 0LGGQi2p9gzfWQN2Nkrjl6wG+exvhwsqqo1jbWnvOCb0CIdDku/51zt5hSkl3WFI EQONeOItwylxaaNuFgHSSNHwPgU= Received: from jidanni.org (114-41-19-80.dynamic-ip.hinet.net [114.41.19.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: jidanni@jidanni.org) by pdx1-sub0-mail-a45.g.dreamhost.com (Postfix) with ESMTPSA id 82ACB7F058 for ; Fri, 20 Nov 2020 13:17:53 -0800 (PST) X-DH-BACKEND: pdx1-sub0-mail-a45 From: =?UTF-8?Q?=E7=A9=8D=E4=B8=B9=E5=B0=BC?= Dan Jacobson Date: Sat, 21 Nov 2020 05:17:49 +0800 Message-ID: <87zh3b918i.5.fsf@jidanni.org> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=23.83.212.47; envelope-from=jidanni@jidanni.org; helo=cyan.elm.relay.mailchannels.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) Maybe print warning messages when encountering the dot, (info "(coreutils) chown invocation") Else Grandpa won't ever know, https://github.com/scop/bash-completion/issues/468 until one day when it's too late... (And his program starts messing things up on some other system.) From debbugs-submit-bounces@debbugs.gnu.org Fri Nov 20 16:26:24 2020 Received: (at control) by debbugs.gnu.org; 20 Nov 2020 21:26:25 +0000 Received: from localhost ([127.0.0.1]:44429 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kgDvE-00072G-MK for submit@debbugs.gnu.org; Fri, 20 Nov 2020 16:26:24 -0500 Received: from caracal.birch.relay.mailchannels.net ([23.83.209.30]:25588) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kgDvD-000728-1g for control@debbugs.gnu.org; Fri, 20 Nov 2020 16:26:23 -0500 X-Sender-Id: dreamhost|x-authsender|jidanni@jidanni.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 8439B921723 for ; Fri, 20 Nov 2020 21:26:21 +0000 (UTC) Received: from pdx1-sub0-mail-a45.g.dreamhost.com (100-96-9-134.trex.outbound.svc.cluster.local [100.96.9.134]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 1D8AB92161C for ; Fri, 20 Nov 2020 21:26:20 +0000 (UTC) X-Sender-Id: dreamhost|x-authsender|jidanni@jidanni.org Received: from pdx1-sub0-mail-a45.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.18.10); Fri, 20 Nov 2020 21:26:21 +0000 X-MC-Relay: Junk X-MailChannels-SenderId: dreamhost|x-authsender|jidanni@jidanni.org X-MailChannels-Auth-Id: dreamhost X-Power-Skirt: 2715401b34db2340_1605907580224_2990602135 X-MC-Loop-Signature: 1605907580224:1661498206 X-MC-Ingress-Time: 1605907580224 Received: from pdx1-sub0-mail-a45.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a45.g.dreamhost.com (Postfix) with ESMTP id 934C17F111 for ; Fri, 20 Nov 2020 13:26:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=jidanni.org; h=from:to :date:message-id:mime-version:content-type; s=jidanni.org; bh=7d Qe9ubJvAX9V8YHmNr3Fanplpk=; b=DdSuF/izXXIAMf+8tmZbgzkLfSPVHrVQGI cFrtlv3c4nbCGcDL6BX+e6TfBH+OgP6Fn27gyGbWxakhXn/8jKXCK/6z1y50yFKO rKA60DN3+T0s038npJttaAHYaLye6kar5wIiNtFn1Wc/lhp3GTDK3AkeywarFcgz jcl6P45Fk= Received: from jidanni.org (114-41-19-80.dynamic-ip.hinet.net [114.41.19.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: jidanni@jidanni.org) by pdx1-sub0-mail-a45.g.dreamhost.com (Postfix) with ESMTPSA id 59C427F05A for ; Fri, 20 Nov 2020 13:26:19 -0800 (PST) X-DH-BACKEND: pdx1-sub0-mail-a45 From: =?utf-8?B?56mN5Li55bC8?= Dan Jacobson To: control@debbugs.gnu.org Date: Sat, 21 Nov 2020 05:26:15 +0800 Message-ID: <87v9dz90ug.5.fsf@jidanni.org> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 2.0 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: retitle 44770 chown: warn when encountering deprecated dot separator Content analysis details: (2.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [23.83.209.30 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [23.83.209.30 listed in list.dnswl.org] 1.8 MISSING_SUBJECT Missing Subject: header 0.2 NO_SUBJECT Extra score for no subject X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) retitle 44770 chown: warn when encountering deprecated dot separator From unknown Sun Jun 15 08:37:06 2025 X-Loop: help-debbugs@gnu.org Subject: bug#44770: [PATCH v2 0/2] services: setuid: More configurable setuid support. Resent-From: Brice Waegeneire Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Sun, 20 Jun 2021 14:20:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44770 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: 44770@debbugs.gnu.org Received: via spool by 44770-submit@debbugs.gnu.org id=B44770.162419878621885 (code B ref 44770); Sun, 20 Jun 2021 14:20:02 +0000 Received: (at 44770) by debbugs.gnu.org; 20 Jun 2021 14:19:46 +0000 Received: from localhost ([127.0.0.1]:34749 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1luyIb-0005gt-Ub for submit@debbugs.gnu.org; Sun, 20 Jun 2021 10:19:46 -0400 Received: from relay3-d.mail.gandi.net ([217.70.183.195]:48725) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1luyIZ-0005gW-Qb for 44770@debbugs.gnu.org; Sun, 20 Jun 2021 10:19:44 -0400 Received: (Authenticated sender: brice@waegenei.re) by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id 2763760005 for <44770@debbugs.gnu.org>; Sun, 20 Jun 2021 14:19:36 +0000 (UTC) From: Brice Waegeneire Date: Sun, 20 Jun 2021 16:19:31 +0200 Message-Id: <20210620141933.27321-1-brice@waegenei.re> X-Mailer: git-send-email 2.31.1 In-Reply-To: <87v98o94ob.fsf@dustycloud.org> References: <87v98o94ob.fsf@dustycloud.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Hello Christopher, Some times ago I continued your patch from where you left it. If I recall correctly it should address all the suggestions from Ludo' and Maxim. I'm using it for several month now without any issue. Thank your for your work on this issue Christopher! Cheers, - Brice Brice Waegeneire (1): services: Migrate to . Christopher Lemmer Webber (1): services: setuid: More configurable setuid support. gnu/build/activation.scm | 38 ++++++++++++++++++++------- gnu/services.scm | 45 ++++++++++++++++++++++++++++--- gnu/services/dbus.scm | 13 ++++++--- gnu/services/desktop.scm | 26 +++++++++++------- gnu/services/docker.scm | 9 ++++--- gnu/services/xorg.scm | 4 ++- gnu/system.scm | 45 +++++++++++++++++-------------- gnu/system/setuid.scm | 57 ++++++++++++++++++++++++++++++++++++++++ 8 files changed, 186 insertions(+), 51 deletions(-) create mode 100644 gnu/system/setuid.scm -- 2.31.1 From unknown Sun Jun 15 08:37:06 2025 X-Loop: help-debbugs@gnu.org Subject: bug#44770: [PATCH v2 1/2] services: setuid: More configurable setuid support. Resent-From: Brice Waegeneire Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Sun, 20 Jun 2021 14:20:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44770 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: 44770@debbugs.gnu.org Cc: Brice Waegeneire Received: via spool by 44770-submit@debbugs.gnu.org id=B44770.162419879421907 (code B ref 44770); Sun, 20 Jun 2021 14:20:02 +0000 Received: (at 44770) by debbugs.gnu.org; 20 Jun 2021 14:19:54 +0000 Received: from localhost ([127.0.0.1]:34751 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1luyIc-0005gw-4F for submit@debbugs.gnu.org; Sun, 20 Jun 2021 10:19:53 -0400 Received: from relay3-d.mail.gandi.net ([217.70.183.195]:38365) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1luyIZ-0005ga-T9 for 44770@debbugs.gnu.org; Sun, 20 Jun 2021 10:19:45 -0400 Received: (Authenticated sender: brice@waegenei.re) by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id 0FC6360004; Sun, 20 Jun 2021 14:19:37 +0000 (UTC) From: Brice Waegeneire Date: Sun, 20 Jun 2021 16:19:32 +0200 Message-Id: <20210620141933.27321-2-brice@waegenei.re> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210620141933.27321-1-brice@waegenei.re> References: <87v98o94ob.fsf@dustycloud.org> <20210620141933.27321-1-brice@waegenei.re> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) From: Christopher Lemmer Webber New record with fields for setting the specific user and group, as well as specifically selecting the setuid and setgid bits, for a program within the setuid-program-service. * gnu/services.scm (setuid-program-file-like-deprecated): New function. (setuid-program-service-type): Make use of setuid-program->activation-gexp. Adjust the extend property to handle . * gnu/build/activation.scm (activate-setuid-programs): Update to expect a list for each program entry. * gnu/system.scm: (operating-system-setuid-programs): Renamed to %operating-system-setuid-programs and replace it with new procedure. (operating-system-default-essential-services, hurd-default-essential-services): Replace operating-system-setuid-programs with %operating-system-setuid-programs. * gnu/system/setuid.scm: New file. Co-authored-by: Brice Waegeneire --- gnu/build/activation.scm | 38 ++++++++++++++++++++------- gnu/services.scm | 45 ++++++++++++++++++++++++++++--- gnu/system.scm | 14 +++++++--- gnu/system/setuid.scm | 57 ++++++++++++++++++++++++++++++++++++++++ 4 files changed, 136 insertions(+), 18 deletions(-) create mode 100644 gnu/system/setuid.scm diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm index 2af1d44b5f..ab9255d095 100644 --- a/gnu/build/activation.scm +++ b/gnu/build/activation.scm @@ -6,6 +6,8 @@ ;;; Copyright © 2018 Arun Isaac ;;; Copyright © 2018, 2019 Ricardo Wurmus ;;; Copyright © 2021 Maxime Devos +;;; Copyright © 2020 Christopher Lemmer Webber +;;; Copyright © 2021 Brice Waegeneire ;;; ;;; This file is part of GNU Guix. ;;; @@ -24,6 +26,7 @@ (define-module (gnu build activation) #:use-module (gnu system accounts) + #:use-module (gnu system setuid) #:use-module (gnu build accounts) #:use-module (gnu build linux-boot) #:use-module (guix build utils) @@ -279,14 +282,17 @@ they already exist." "/run/setuid-programs") (define (activate-setuid-programs programs) - "Turn PROGRAMS, a list of file names, into setuid programs stored under -%SETUID-DIRECTORY." - (define (make-setuid-program prog) + "Turn PROGRAMS, a list of file setuid-programs record, into setuid programs +stored under %SETUID-DIRECTORY." + (define (make-setuid-program program setuid? setgid? uid gid) (let ((target (string-append %setuid-directory - "/" (basename prog)))) - (copy-file prog target) - (chown target 0 0) - (chmod target #o4555))) + "/" (basename program))) + (mode (+ #o0555 ; base permissions + (if setuid? #o4000 0) ; setuid bit + (if setgid? #o2000 0)))) ; setgid bit + (copy-file program target) + (chown target uid gid) + (chmod target mode))) (format #t "setting up setuid programs in '~a'...~%" %setuid-directory) @@ -302,15 +308,27 @@ they already exist." (for-each (lambda (program) (catch 'system-error (lambda () - (make-setuid-program program)) + (let* ((program-name (setuid-program-program program)) + (setuid? (setuid-program-setuid? program)) + (setgid? (setuid-program-setgid? program)) + (user (setuid-program-user program)) + (group (setuid-program-group program)) + (uid (match user + ((? string?) (passwd:uid (getpwnam user))) + ((? integer?) user))) + (gid (match group + ((? string?) (group:gid (getgrnam group))) + ((? integer?) group)))) + (make-setuid-program program-name setuid? setgid? uid gid))) (lambda args ;; If we fail to create a setuid program, better keep going ;; so that we don't leave %SETUID-DIRECTORY empty or ;; half-populated. This can happen if PROGRAMS contains ;; incorrect file names: . (format (current-error-port) - "warning: failed to make '~a' setuid-root: ~a~%" - program (strerror (system-error-errno args)))))) + "warning: failed to make ~s setuid/setgid: ~a~%" + (setuid-program-program program) + (strerror (system-error-errno args)))))) programs)) (define (activate-special-files special-files) diff --git a/gnu/services.scm b/gnu/services.scm index 8d413e198e..2f5f67b3a1 100644 --- a/gnu/services.scm +++ b/gnu/services.scm @@ -4,6 +4,8 @@ ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen ;;; Copyright © 2020, 2021 Ricardo Wurmus ;;; Copyright © 2021 raid5atemyhomework +;;; Copyright © 2020 Christopher Lemmer Webber +;;; Copyright © 2020, 2021 Brice Waegeneire ;;; ;;; This file is part of GNU Guix. ;;; @@ -40,6 +42,7 @@ #:use-module (gnu packages base) #:use-module (gnu packages bash) #:use-module (gnu packages hurd) + #:use-module (gnu system setuid) #:use-module (srfi srfi-1) #:use-module (srfi srfi-9) #:use-module (srfi srfi-9 gnu) @@ -801,15 +804,49 @@ directory." FILES must be a list of name/file-like object pairs." (service etc-service-type files)) +(define (setuid-program->activation-gexp programs) + "Return an activation gexp for setuid-program from PROGRAMS." + (let ((programs (map (lambda (program) + ;; FIXME This is really ugly, I didn't managed to use + ;; "inherit" + (let ((program-name (setuid-program-program program)) + (setuid? (setuid-program-setuid? program)) + (setgid? (setuid-program-setgid? program)) + (user (setuid-program-user program)) + (group (setuid-program-group program)) ) + #~(setuid-program + (setuid? #$setuid?) + (setgid? #$setgid?) + (user #$user) + (group #$group) + (program #$program-name)))) + programs))) + (with-imported-modules (source-module-closure + '((gnu system setuid))) + #~(begin + (use-modules (gnu system setuid)) + + (activate-setuid-programs (list #$@programs)))))) + +(define (setuid-program-file-like-deprecated file-like) + (match file-like + ((? file-like? program) + (warning + (G_ "representing setuid programs with '~a' is \ +deprecated; use 'setuid-program' instead~%") program) + (setuid-program (program program))) + ((? setuid-program? program) + program))) + (define setuid-program-service-type (service-type (name 'setuid-program) (extensions (list (service-extension activation-service-type - (lambda (programs) - #~(activate-setuid-programs - (list #$@programs)))))) + setuid-program->activation-gexp))) (compose concatenate) - (extend append) + (extend (lambda (config extensions) + (map setuid-program-file-like-deprecated + (append config extensions)))) (description "Populate @file{/run/setuid-programs} with the specified executables, making them setuid-root."))) diff --git a/gnu/system.scm b/gnu/system.scm index 8a3ae27d04..96b45ede96 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -7,7 +7,7 @@ ;;; Copyright © 2019 Meiyo Peng ;;; Copyright © 2019, 2020 Miguel Ángel Arruga Vivas ;;; Copyright © 2020 Danny Milosavljevic -;;; Copyright © 2020 Brice Waegeneire +;;; Copyright © 2020, 2021 Brice Waegeneire ;;; Copyright © 2020 Florian Pelz ;;; Copyright © 2020 Maxim Cournoyer ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen @@ -74,6 +74,7 @@ #:use-module (gnu system locale) #:use-module (gnu system pam) #:use-module (gnu system linux-initrd) + #:use-module (gnu system setuid) #:use-module (gnu system uuid) #:use-module (gnu system file-systems) #:use-module (gnu system mapped-devices) @@ -267,7 +268,7 @@ (pam-services operating-system-pam-services ; list of PAM services (default (base-pam-services))) - (setuid-programs operating-system-setuid-programs + (setuid-programs %operating-system-setuid-programs (default %setuid-programs)) ; list of string-valued gexps (sudoers-file operating-system-sudoers-file ; file-like @@ -671,7 +672,7 @@ bookkeeping." (operating-system-environment-variables os)) host-name procs root-fs (service setuid-program-service-type - (operating-system-setuid-programs os)) + (%operating-system-setuid-programs os)) (service profile-service-type (operating-system-packages os)) other-fs @@ -701,7 +702,7 @@ bookkeeping." (pam-root-service (operating-system-pam-services os)) (operating-system-etc-service os) (service setuid-program-service-type - (operating-system-setuid-programs os)) + (%operating-system-setuid-programs os)) (service profile-service-type (operating-system-packages os))))) (define* (operating-system-services os) @@ -1065,6 +1066,11 @@ use 'plain-file' instead~%") ;; TODO: Remove when glibc@2.23 is long gone. ("GUIX_LOCPATH" . "/run/current-system/locale"))) +(define (operating-system-setuid-programs os) + "Return the setuid programs for OS, as a list of setuid-program record." + (map file-like->setuid-program + (%operating-system-setuid-programs os))) + (define %setuid-programs ;; Default set of setuid-root programs. (let ((shadow (@ (gnu packages admin) shadow))) diff --git a/gnu/system/setuid.scm b/gnu/system/setuid.scm new file mode 100644 index 0000000000..e8b9c0df81 --- /dev/null +++ b/gnu/system/setuid.scm @@ -0,0 +1,57 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2021 Brice Waegeneire +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu system setuid) + #:use-module (guix records) + #:export (setuid-program + setuid-program? + setuid-program-program + setuid-program-setuid? + setuid-program-setgid? + setuid-program-user + setuid-program-group + + file-like->setuid-program)) + +;;; Commentary: +;;; +;;; Data structures representing setuid/setgid programs. This is meant to be +;;; used both on the host side and at run time--e.g., in activation snippets. +;;; +;;; Code: + +(define-record-type* + setuid-program make-setuid-program + setuid-program? + ;; Path to program to link with setuid permissions + (program setuid-program-program) ;file-like + ;; Whether to set user setuid bit + (setuid? setuid-program-setuid? ;boolean + (default #t)) + ;; Whether to set user setgid bit + (setgid? setuid-program-setgid? ;boolean + (default #f)) + ;; The user this should be set to (defaults to root) + (user setuid-program-user ;integer or string + (default 0)) + ;; Group we want to set this to (defaults to root) + (group setuid-program-group ;integer or string + (default 0))) + +(define (file-like->setuid-program program) + (setuid-program (program program))) -- 2.31.1 From unknown Sun Jun 15 08:37:06 2025 X-Loop: help-debbugs@gnu.org Subject: bug#44770: [PATCH v2 2/2] services: Migrate to . Resent-From: Brice Waegeneire Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Sun, 20 Jun 2021 14:20:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44770 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: 44770@debbugs.gnu.org Received: via spool by 44770-submit@debbugs.gnu.org id=B44770.162419880021921 (code B ref 44770); Sun, 20 Jun 2021 14:20:03 +0000 Received: (at 44770) by debbugs.gnu.org; 20 Jun 2021 14:20:00 +0000 Received: from localhost ([127.0.0.1]:34754 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1luyIk-0005hI-15 for submit@debbugs.gnu.org; Sun, 20 Jun 2021 10:20:00 -0400 Received: from relay11.mail.gandi.net ([217.70.178.231]:58029) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1luyIc-0005gc-1z for 44770@debbugs.gnu.org; Sun, 20 Jun 2021 10:19:47 -0400 Received: (Authenticated sender: brice@waegenei.re) by relay11.mail.gandi.net (Postfix) with ESMTPSA id 8A88E100008 for <44770@debbugs.gnu.org>; Sun, 20 Jun 2021 14:19:39 +0000 (UTC) From: Brice Waegeneire Date: Sun, 20 Jun 2021 16:19:33 +0200 Message-Id: <20210620141933.27321-3-brice@waegenei.re> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210620141933.27321-1-brice@waegenei.re> References: <87v98o94ob.fsf@dustycloud.org> <20210620141933.27321-1-brice@waegenei.re> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/services/dbus.scm (dbus-setuid-programs, polkit-setuid-programs): Return setuid-programs. * gnu/services/desktop.scm (enlightenment-setuid-programs): Return setuid-programs. (%desktop-services)[mount-setuid-helpers]: Use setuid-programs. * gnu/services/docker.scm (singularity-setuid-programs): Return setuid-programs. * gnu/services/xorg.scm(screen-locker-setuid-programs): Return setuid-programs. * gnu/system.scm (%setuid-programs): Return setuid-programs. --- gnu/services/dbus.scm | 13 +++++++++---- gnu/services/desktop.scm | 26 ++++++++++++++++---------- gnu/services/docker.scm | 9 ++++++--- gnu/services/xorg.scm | 4 +++- gnu/system.scm | 31 ++++++++++++++++--------------- 5 files changed, 50 insertions(+), 33 deletions(-) diff --git a/gnu/services/dbus.scm b/gnu/services/dbus.scm index af1a1e4c3a..e7b3dac166 100644 --- a/gnu/services/dbus.scm +++ b/gnu/services/dbus.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2019, 2020 Ludovic Courtès ;;; Copyright © 2015 Sou Bunnbu ;;; Copyright © 2021 Maxime Devos +;;; Copyright © 2021 Brice Waegeneire ;;; ;;; This file is part of GNU Guix. ;;; @@ -21,6 +22,7 @@ (define-module (gnu services dbus) #:use-module (gnu services) #:use-module (gnu services shepherd) + #:use-module (gnu system setuid) #:use-module (gnu system shadow) #:use-module (gnu system pam) #:use-module ((gnu packages glib) #:select (dbus)) @@ -156,10 +158,12 @@ includes the @code{etc/dbus-1/system.d} directories of each package listed in (shell (file-append shadow "/sbin/nologin"))))) (define dbus-setuid-programs - ;; Return the file name of the setuid program that we need. + ;; Return a list of for the program that we need. (match-lambda (($ dbus services) - (list (file-append dbus "/libexec/dbus-daemon-launch-helper"))))) + (list (setuid-program + (program (file-append + dbus "/libexec/dbus-daemon-launch-helper"))))))) (define (dbus-activation config) "Return an activation gexp for D-Bus using @var{config}." @@ -335,8 +339,9 @@ tuples, are all set as environment variables when the bus daemon launches it." (define polkit-setuid-programs (match-lambda (($ polkit) - (list (file-append polkit "/lib/polkit-1/polkit-agent-helper-1") - (file-append polkit "/bin/pkexec"))))) + (map file-like->setuid-program + (list (file-append polkit "/lib/polkit-1/polkit-agent-helper-1") + (file-append polkit "/bin/pkexec")))))) (define polkit-service-type (service-type (name 'polkit) diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index cd800fcc2b..6297b8eb0b 100644 --- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -12,6 +12,7 @@ ;;; Copyright © 2019 David Wilson ;;; Copyright © 2020 Tobias Geerinckx-Rice ;;; Copyright © 2020 Reza Alizadeh Majd +;; Copyright © 2021 Brice Waegeneire ;;; ;;; This file is part of GNU Guix. ;;; @@ -40,6 +41,7 @@ #:use-module ((gnu system file-systems) #:select (%elogind-file-systems file-system)) #:use-module (gnu system) + #:use-module (gnu system setuid) #:use-module (gnu system shadow) #:use-module (gnu system pam) #:use-module (gnu packages glib) @@ -1034,14 +1036,15 @@ rules." (define (enlightenment-setuid-programs enlightenment-desktop-configuration) (match-record enlightenment-desktop-configuration - - (enlightenment) - (list (file-append enlightenment - "/lib/enlightenment/utils/enlightenment_sys") - (file-append enlightenment - "/lib/enlightenment/utils/enlightenment_system") - (file-append enlightenment - "/lib/enlightenment/utils/enlightenment_ckpasswd")))) + + (enlightenment) + (map file-like->setuid-program + (list (file-append enlightenment + "/lib/enlightenment/utils/enlightenment_sys") + (file-append enlightenment + "/lib/enlightenment/utils/enlightenment_system") + (file-append enlightenment + "/lib/enlightenment/utils/enlightenment_ckpasswd"))))) (define enlightenment-desktop-service-type (service-type @@ -1204,8 +1207,11 @@ or setting its password with passwd."))) ;; Allow desktop users to also mount NTFS and NFS file systems ;; without root. (simple-service 'mount-setuid-helpers setuid-program-service-type - (list (file-append nfs-utils "/sbin/mount.nfs") - (file-append ntfs-3g "/sbin/mount.ntfs-3g"))) + (map (lambda (program) + (setuid-program + (program program))) + (list (file-append nfs-utils "/sbin/mount.nfs") + (file-append ntfs-3g "/sbin/mount.ntfs-3g")))) ;; The global fontconfig cache directory can sometimes contain ;; stale entries, possibly referencing fonts that have been GC'd, diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm index be85316180..ef551480aa 100644 --- a/gnu/services/docker.scm +++ b/gnu/services/docker.scm @@ -4,6 +4,7 @@ ;;; Copyright © 2020, 2021 Maxim Cournoyer ;;; Copyright © 2020 Efraim Flashner ;;; Copyright © 2020 Jesse Dowell +;;; Copyright © 2021 Brice Waegeneire ;;; ;;; This file is part of GNU Guix. ;;; @@ -26,6 +27,7 @@ #:use-module (gnu services base) #:use-module (gnu services dbus) #:use-module (gnu services shepherd) + #:use-module (gnu system setuid) #:use-module (gnu system shadow) #:use-module (gnu packages docker) #:use-module (gnu packages linux) ;singularity @@ -195,9 +197,10 @@ bundles in Docker containers.") "-helper"))) '("action" "mount" "start"))))) - (list (file-append helpers "/singularity-action-helper") - (file-append helpers "/singularity-mount-helper") - (file-append helpers "/singularity-start-helper"))) + (map file-like->setuid-program + (list (file-append helpers "/singularity-action-helper") + (file-append helpers "/singularity-mount-helper") + (file-append helpers "/singularity-start-helper")))) (define singularity-service-type (service-type (name 'singularity) diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm index 8ffea3b9dd..d95f8beb7a 100644 --- a/gnu/services/xorg.scm +++ b/gnu/services/xorg.scm @@ -8,6 +8,7 @@ ;;; Copyright © 2020 shtwzrd ;;; Copyright © 2020 Jakub Kądziołka ;;; Copyright © 2020 Alex Griffin +;;; Copyright © 2021 Brice Waegeneire ;;; ;;; This file is part of GNU Guix. ;;; @@ -29,6 +30,7 @@ #:use-module (gnu services) #:use-module (gnu services shepherd) #:use-module (gnu system pam) + #:use-module (gnu system setuid) #:use-module (gnu system keyboard) #:use-module (gnu services base) #:use-module (gnu services dbus) @@ -681,7 +683,7 @@ reboot_cmd " shepherd "/sbin/reboot\n" #:allow-empty-passwords? empty?))))) (define screen-locker-setuid-programs - (compose list screen-locker-program)) + (compose list file-like->setuid-program screen-locker-program)) (define screen-locker-service-type (service-type (name 'screen-locker) diff --git a/gnu/system.scm b/gnu/system.scm index 96b45ede96..8a70f86457 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -1074,22 +1074,23 @@ use 'plain-file' instead~%") (define %setuid-programs ;; Default set of setuid-root programs. (let ((shadow (@ (gnu packages admin) shadow))) - (list (file-append shadow "/bin/passwd") - (file-append shadow "/bin/sg") - (file-append shadow "/bin/su") - (file-append shadow "/bin/newgrp") - (file-append shadow "/bin/newuidmap") - (file-append shadow "/bin/newgidmap") - (file-append inetutils "/bin/ping") - (file-append inetutils "/bin/ping6") - (file-append sudo "/bin/sudo") - (file-append sudo "/bin/sudoedit") - (file-append fuse "/bin/fusermount") + (map file-like->setuid-program + (list (file-append shadow "/bin/passwd") + (file-append shadow "/bin/sg") + (file-append shadow "/bin/su") + (file-append shadow "/bin/newgrp") + (file-append shadow "/bin/newuidmap") + (file-append shadow "/bin/newgidmap") + (file-append inetutils "/bin/ping") + (file-append inetutils "/bin/ping6") + (file-append sudo "/bin/sudo") + (file-append sudo "/bin/sudoedit") + (file-append fuse "/bin/fusermount") - ;; To allow mounts with the "user" option, "mount" and "umount" must - ;; be setuid-root. - (file-append util-linux "/bin/mount") - (file-append util-linux "/bin/umount")))) + ;; To allow mounts with the "user" option, "mount" and "umount" must + ;; be setuid-root. + (file-append util-linux "/bin/mount") + (file-append util-linux "/bin/umount"))))) (define %sudoers-specification ;; Default /etc/sudoers contents: 'root' and all members of the 'wheel' -- 2.31.1 From unknown Sun Jun 15 08:37:06 2025 X-Loop: help-debbugs@gnu.org Subject: bug#44770: [PATCH v2 0/2] services: setuid: More configurable setuid support. References: <87zh3b918i.5.fsf@jidanni.org> In-Reply-To: <87zh3b918i.5.fsf@jidanni.org> Resent-From: Brice Waegeneire Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Sat, 03 Jul 2021 16:23:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44770 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: 44770@debbugs.gnu.org Cc: cwebber@dustycloud.org Received: via spool by 44770-submit@debbugs.gnu.org id=B44770.162532937721713 (code B ref 44770); Sat, 03 Jul 2021 16:23:02 +0000 Received: (at 44770) by debbugs.gnu.org; 3 Jul 2021 16:22:57 +0000 Received: from localhost ([127.0.0.1]:39741 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lziPw-0005e9-VB for submit@debbugs.gnu.org; Sat, 03 Jul 2021 12:22:57 -0400 Received: from relay7-d.mail.gandi.net ([217.70.183.200]:38183) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lziPu-0005dq-Hs for 44770@debbugs.gnu.org; Sat, 03 Jul 2021 12:22:55 -0400 Received: (Authenticated sender: brice@waegenei.re) by relay7-d.mail.gandi.net (Postfix) with ESMTPSA id AA92220004; Sat, 3 Jul 2021 16:22:47 +0000 (UTC) From: Brice Waegeneire Date: Sat, 3 Jul 2021 18:22:41 +0200 Message-Id: <20210703162243.5253-1-brice@waegenei.re> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Hello Christopher, Some times ago I continued your patch from where you left it. If I recall correctly it should address all the suggestions from Ludo' and Maxim. I'm using it for several month now without any issue. Thank your for your work on this issue Christopher! Cheers, - Brice Brice Waegeneire (1): services: Migrate to . Christopher Lemmer Webber (1): services: setuid: More configurable setuid support. gnu/build/activation.scm | 38 ++++++++++++++++++++------- gnu/services.scm | 45 ++++++++++++++++++++++++++++--- gnu/services/dbus.scm | 13 ++++++--- gnu/services/desktop.scm | 26 +++++++++++------- gnu/services/docker.scm | 9 ++++--- gnu/services/xorg.scm | 4 ++- gnu/system.scm | 45 +++++++++++++++++-------------- gnu/system/setuid.scm | 57 ++++++++++++++++++++++++++++++++++++++++ 8 files changed, 186 insertions(+), 51 deletions(-) create mode 100644 gnu/system/setuid.scm -- 2.31.1 From unknown Sun Jun 15 08:37:06 2025 X-Loop: help-debbugs@gnu.org Subject: bug#44770: [PATCH v2 2/2] services: Migrate to . References: <87zh3b918i.5.fsf@jidanni.org> In-Reply-To: <87zh3b918i.5.fsf@jidanni.org> Resent-From: Brice Waegeneire Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Sat, 03 Jul 2021 16:24:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44770 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: 44770@debbugs.gnu.org Cc: cwebber@dustycloud.org Received: via spool by 44770-submit@debbugs.gnu.org id=B44770.162532938821786 (code B ref 44770); Sat, 03 Jul 2021 16:24:01 +0000 Received: (at 44770) by debbugs.gnu.org; 3 Jul 2021 16:23:08 +0000 Received: from localhost ([127.0.0.1]:39744 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lziQ0-0005eW-5j for submit@debbugs.gnu.org; Sat, 03 Jul 2021 12:23:08 -0400 Received: from relay10.mail.gandi.net ([217.70.178.230]:33885) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lziPw-0005dv-QU for 44770@debbugs.gnu.org; Sat, 03 Jul 2021 12:22:58 -0400 Received: (Authenticated sender: brice@waegenei.re) by relay10.mail.gandi.net (Postfix) with ESMTPSA id 06BD4240003; Sat, 3 Jul 2021 16:22:49 +0000 (UTC) From: Brice Waegeneire Date: Sat, 3 Jul 2021 18:22:43 +0200 Message-Id: <20210703162243.5253-3-brice@waegenei.re> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/services/dbus.scm (dbus-setuid-programs, polkit-setuid-programs): Return setuid-programs. * gnu/services/desktop.scm (enlightenment-setuid-programs): Return setuid-programs. (%desktop-services)[mount-setuid-helpers]: Use setuid-programs. * gnu/services/docker.scm (singularity-setuid-programs): Return setuid-programs. * gnu/services/xorg.scm(screen-locker-setuid-programs): Return setuid-programs. * gnu/system.scm (%setuid-programs): Return setuid-programs. --- gnu/services/dbus.scm | 13 +++++++++---- gnu/services/desktop.scm | 26 ++++++++++++++++---------- gnu/services/docker.scm | 9 ++++++--- gnu/services/xorg.scm | 4 +++- gnu/system.scm | 31 ++++++++++++++++--------------- 5 files changed, 50 insertions(+), 33 deletions(-) diff --git a/gnu/services/dbus.scm b/gnu/services/dbus.scm index af1a1e4c3a..e7b3dac166 100644 --- a/gnu/services/dbus.scm +++ b/gnu/services/dbus.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2019, 2020 Ludovic Courtès ;;; Copyright © 2015 Sou Bunnbu ;;; Copyright © 2021 Maxime Devos +;;; Copyright © 2021 Brice Waegeneire ;;; ;;; This file is part of GNU Guix. ;;; @@ -21,6 +22,7 @@ (define-module (gnu services dbus) #:use-module (gnu services) #:use-module (gnu services shepherd) + #:use-module (gnu system setuid) #:use-module (gnu system shadow) #:use-module (gnu system pam) #:use-module ((gnu packages glib) #:select (dbus)) @@ -156,10 +158,12 @@ includes the @code{etc/dbus-1/system.d} directories of each package listed in (shell (file-append shadow "/sbin/nologin"))))) (define dbus-setuid-programs - ;; Return the file name of the setuid program that we need. + ;; Return a list of for the program that we need. (match-lambda (($ dbus services) - (list (file-append dbus "/libexec/dbus-daemon-launch-helper"))))) + (list (setuid-program + (program (file-append + dbus "/libexec/dbus-daemon-launch-helper"))))))) (define (dbus-activation config) "Return an activation gexp for D-Bus using @var{config}." @@ -335,8 +339,9 @@ tuples, are all set as environment variables when the bus daemon launches it." (define polkit-setuid-programs (match-lambda (($ polkit) - (list (file-append polkit "/lib/polkit-1/polkit-agent-helper-1") - (file-append polkit "/bin/pkexec"))))) + (map file-like->setuid-program + (list (file-append polkit "/lib/polkit-1/polkit-agent-helper-1") + (file-append polkit "/bin/pkexec")))))) (define polkit-service-type (service-type (name 'polkit) diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index cd800fcc2b..6297b8eb0b 100644 --- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -12,6 +12,7 @@ ;;; Copyright © 2019 David Wilson ;;; Copyright © 2020 Tobias Geerinckx-Rice ;;; Copyright © 2020 Reza Alizadeh Majd +;; Copyright © 2021 Brice Waegeneire ;;; ;;; This file is part of GNU Guix. ;;; @@ -40,6 +41,7 @@ #:use-module ((gnu system file-systems) #:select (%elogind-file-systems file-system)) #:use-module (gnu system) + #:use-module (gnu system setuid) #:use-module (gnu system shadow) #:use-module (gnu system pam) #:use-module (gnu packages glib) @@ -1034,14 +1036,15 @@ rules." (define (enlightenment-setuid-programs enlightenment-desktop-configuration) (match-record enlightenment-desktop-configuration - - (enlightenment) - (list (file-append enlightenment - "/lib/enlightenment/utils/enlightenment_sys") - (file-append enlightenment - "/lib/enlightenment/utils/enlightenment_system") - (file-append enlightenment - "/lib/enlightenment/utils/enlightenment_ckpasswd")))) + + (enlightenment) + (map file-like->setuid-program + (list (file-append enlightenment + "/lib/enlightenment/utils/enlightenment_sys") + (file-append enlightenment + "/lib/enlightenment/utils/enlightenment_system") + (file-append enlightenment + "/lib/enlightenment/utils/enlightenment_ckpasswd"))))) (define enlightenment-desktop-service-type (service-type @@ -1204,8 +1207,11 @@ or setting its password with passwd."))) ;; Allow desktop users to also mount NTFS and NFS file systems ;; without root. (simple-service 'mount-setuid-helpers setuid-program-service-type - (list (file-append nfs-utils "/sbin/mount.nfs") - (file-append ntfs-3g "/sbin/mount.ntfs-3g"))) + (map (lambda (program) + (setuid-program + (program program))) + (list (file-append nfs-utils "/sbin/mount.nfs") + (file-append ntfs-3g "/sbin/mount.ntfs-3g")))) ;; The global fontconfig cache directory can sometimes contain ;; stale entries, possibly referencing fonts that have been GC'd, diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm index be85316180..ef551480aa 100644 --- a/gnu/services/docker.scm +++ b/gnu/services/docker.scm @@ -4,6 +4,7 @@ ;;; Copyright © 2020, 2021 Maxim Cournoyer ;;; Copyright © 2020 Efraim Flashner ;;; Copyright © 2020 Jesse Dowell +;;; Copyright © 2021 Brice Waegeneire ;;; ;;; This file is part of GNU Guix. ;;; @@ -26,6 +27,7 @@ #:use-module (gnu services base) #:use-module (gnu services dbus) #:use-module (gnu services shepherd) + #:use-module (gnu system setuid) #:use-module (gnu system shadow) #:use-module (gnu packages docker) #:use-module (gnu packages linux) ;singularity @@ -195,9 +197,10 @@ bundles in Docker containers.") "-helper"))) '("action" "mount" "start"))))) - (list (file-append helpers "/singularity-action-helper") - (file-append helpers "/singularity-mount-helper") - (file-append helpers "/singularity-start-helper"))) + (map file-like->setuid-program + (list (file-append helpers "/singularity-action-helper") + (file-append helpers "/singularity-mount-helper") + (file-append helpers "/singularity-start-helper")))) (define singularity-service-type (service-type (name 'singularity) diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm index 8ffea3b9dd..d95f8beb7a 100644 --- a/gnu/services/xorg.scm +++ b/gnu/services/xorg.scm @@ -8,6 +8,7 @@ ;;; Copyright © 2020 shtwzrd ;;; Copyright © 2020 Jakub Kądziołka ;;; Copyright © 2020 Alex Griffin +;;; Copyright © 2021 Brice Waegeneire ;;; ;;; This file is part of GNU Guix. ;;; @@ -29,6 +30,7 @@ #:use-module (gnu services) #:use-module (gnu services shepherd) #:use-module (gnu system pam) + #:use-module (gnu system setuid) #:use-module (gnu system keyboard) #:use-module (gnu services base) #:use-module (gnu services dbus) @@ -681,7 +683,7 @@ reboot_cmd " shepherd "/sbin/reboot\n" #:allow-empty-passwords? empty?))))) (define screen-locker-setuid-programs - (compose list screen-locker-program)) + (compose list file-like->setuid-program screen-locker-program)) (define screen-locker-service-type (service-type (name 'screen-locker) diff --git a/gnu/system.scm b/gnu/system.scm index 96b45ede96..8a70f86457 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -1074,22 +1074,23 @@ use 'plain-file' instead~%") (define %setuid-programs ;; Default set of setuid-root programs. (let ((shadow (@ (gnu packages admin) shadow))) - (list (file-append shadow "/bin/passwd") - (file-append shadow "/bin/sg") - (file-append shadow "/bin/su") - (file-append shadow "/bin/newgrp") - (file-append shadow "/bin/newuidmap") - (file-append shadow "/bin/newgidmap") - (file-append inetutils "/bin/ping") - (file-append inetutils "/bin/ping6") - (file-append sudo "/bin/sudo") - (file-append sudo "/bin/sudoedit") - (file-append fuse "/bin/fusermount") + (map file-like->setuid-program + (list (file-append shadow "/bin/passwd") + (file-append shadow "/bin/sg") + (file-append shadow "/bin/su") + (file-append shadow "/bin/newgrp") + (file-append shadow "/bin/newuidmap") + (file-append shadow "/bin/newgidmap") + (file-append inetutils "/bin/ping") + (file-append inetutils "/bin/ping6") + (file-append sudo "/bin/sudo") + (file-append sudo "/bin/sudoedit") + (file-append fuse "/bin/fusermount") - ;; To allow mounts with the "user" option, "mount" and "umount" must - ;; be setuid-root. - (file-append util-linux "/bin/mount") - (file-append util-linux "/bin/umount")))) + ;; To allow mounts with the "user" option, "mount" and "umount" must + ;; be setuid-root. + (file-append util-linux "/bin/mount") + (file-append util-linux "/bin/umount"))))) (define %sudoers-specification ;; Default /etc/sudoers contents: 'root' and all members of the 'wheel' -- 2.31.1 From unknown Sun Jun 15 08:37:06 2025 X-Loop: help-debbugs@gnu.org Subject: bug#44770: [PATCH v2 1/2] services: setuid: More configurable setuid support. References: <87zh3b918i.5.fsf@jidanni.org> In-Reply-To: <87zh3b918i.5.fsf@jidanni.org> Resent-From: Brice Waegeneire Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Sat, 03 Jul 2021 16:24:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44770 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: 44770@debbugs.gnu.org Cc: cwebber@dustycloud.org, Brice Waegeneire Received: via spool by 44770-submit@debbugs.gnu.org id=B44770.162532939221795 (code B ref 44770); Sat, 03 Jul 2021 16:24:01 +0000 Received: (at 44770) by debbugs.gnu.org; 3 Jul 2021 16:23:12 +0000 Received: from localhost ([127.0.0.1]:39747 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lziQ8-0005fL-IB for submit@debbugs.gnu.org; Sat, 03 Jul 2021 12:23:12 -0400 Received: from relay2-d.mail.gandi.net ([217.70.183.194]:64009) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lziPv-0005dt-T4 for 44770@debbugs.gnu.org; Sat, 03 Jul 2021 12:22:59 -0400 Received: (Authenticated sender: brice@waegenei.re) by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id 1229140006; Sat, 3 Jul 2021 16:22:48 +0000 (UTC) From: Brice Waegeneire Date: Sat, 3 Jul 2021 18:22:42 +0200 Message-Id: <20210703162243.5253-2-brice@waegenei.re> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) From: Christopher Lemmer Webber New record with fields for setting the specific user and group, as well as specifically selecting the setuid and setgid bits, for a program within the setuid-program-service. * gnu/services.scm (setuid-program-file-like-deprecated): New function. (setuid-program-service-type): Make use of setuid-program->activation-gexp. Adjust the extend property to handle . * gnu/build/activation.scm (activate-setuid-programs): Update to expect a list for each program entry. * gnu/system.scm: (operating-system-setuid-programs): Renamed to %operating-system-setuid-programs and replace it with new procedure. (operating-system-default-essential-services, hurd-default-essential-services): Replace operating-system-setuid-programs with %operating-system-setuid-programs. * gnu/system/setuid.scm: New file. Co-authored-by: Brice Waegeneire --- gnu/build/activation.scm | 38 ++++++++++++++++++++------- gnu/services.scm | 45 ++++++++++++++++++++++++++++--- gnu/system.scm | 14 +++++++--- gnu/system/setuid.scm | 57 ++++++++++++++++++++++++++++++++++++++++ 4 files changed, 136 insertions(+), 18 deletions(-) create mode 100644 gnu/system/setuid.scm diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm index 2af1d44b5f..ab9255d095 100644 --- a/gnu/build/activation.scm +++ b/gnu/build/activation.scm @@ -6,6 +6,8 @@ ;;; Copyright © 2018 Arun Isaac ;;; Copyright © 2018, 2019 Ricardo Wurmus ;;; Copyright © 2021 Maxime Devos +;;; Copyright © 2020 Christopher Lemmer Webber +;;; Copyright © 2021 Brice Waegeneire ;;; ;;; This file is part of GNU Guix. ;;; @@ -24,6 +26,7 @@ (define-module (gnu build activation) #:use-module (gnu system accounts) + #:use-module (gnu system setuid) #:use-module (gnu build accounts) #:use-module (gnu build linux-boot) #:use-module (guix build utils) @@ -279,14 +282,17 @@ they already exist." "/run/setuid-programs") (define (activate-setuid-programs programs) - "Turn PROGRAMS, a list of file names, into setuid programs stored under -%SETUID-DIRECTORY." - (define (make-setuid-program prog) + "Turn PROGRAMS, a list of file setuid-programs record, into setuid programs +stored under %SETUID-DIRECTORY." + (define (make-setuid-program program setuid? setgid? uid gid) (let ((target (string-append %setuid-directory - "/" (basename prog)))) - (copy-file prog target) - (chown target 0 0) - (chmod target #o4555))) + "/" (basename program))) + (mode (+ #o0555 ; base permissions + (if setuid? #o4000 0) ; setuid bit + (if setgid? #o2000 0)))) ; setgid bit + (copy-file program target) + (chown target uid gid) + (chmod target mode))) (format #t "setting up setuid programs in '~a'...~%" %setuid-directory) @@ -302,15 +308,27 @@ they already exist." (for-each (lambda (program) (catch 'system-error (lambda () - (make-setuid-program program)) + (let* ((program-name (setuid-program-program program)) + (setuid? (setuid-program-setuid? program)) + (setgid? (setuid-program-setgid? program)) + (user (setuid-program-user program)) + (group (setuid-program-group program)) + (uid (match user + ((? string?) (passwd:uid (getpwnam user))) + ((? integer?) user))) + (gid (match group + ((? string?) (group:gid (getgrnam group))) + ((? integer?) group)))) + (make-setuid-program program-name setuid? setgid? uid gid))) (lambda args ;; If we fail to create a setuid program, better keep going ;; so that we don't leave %SETUID-DIRECTORY empty or ;; half-populated. This can happen if PROGRAMS contains ;; incorrect file names: . (format (current-error-port) - "warning: failed to make '~a' setuid-root: ~a~%" - program (strerror (system-error-errno args)))))) + "warning: failed to make ~s setuid/setgid: ~a~%" + (setuid-program-program program) + (strerror (system-error-errno args)))))) programs)) (define (activate-special-files special-files) diff --git a/gnu/services.scm b/gnu/services.scm index 8d413e198e..2f5f67b3a1 100644 --- a/gnu/services.scm +++ b/gnu/services.scm @@ -4,6 +4,8 @@ ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen ;;; Copyright © 2020, 2021 Ricardo Wurmus ;;; Copyright © 2021 raid5atemyhomework +;;; Copyright © 2020 Christopher Lemmer Webber +;;; Copyright © 2020, 2021 Brice Waegeneire ;;; ;;; This file is part of GNU Guix. ;;; @@ -40,6 +42,7 @@ #:use-module (gnu packages base) #:use-module (gnu packages bash) #:use-module (gnu packages hurd) + #:use-module (gnu system setuid) #:use-module (srfi srfi-1) #:use-module (srfi srfi-9) #:use-module (srfi srfi-9 gnu) @@ -801,15 +804,49 @@ directory." FILES must be a list of name/file-like object pairs." (service etc-service-type files)) +(define (setuid-program->activation-gexp programs) + "Return an activation gexp for setuid-program from PROGRAMS." + (let ((programs (map (lambda (program) + ;; FIXME This is really ugly, I didn't managed to use + ;; "inherit" + (let ((program-name (setuid-program-program program)) + (setuid? (setuid-program-setuid? program)) + (setgid? (setuid-program-setgid? program)) + (user (setuid-program-user program)) + (group (setuid-program-group program)) ) + #~(setuid-program + (setuid? #$setuid?) + (setgid? #$setgid?) + (user #$user) + (group #$group) + (program #$program-name)))) + programs))) + (with-imported-modules (source-module-closure + '((gnu system setuid))) + #~(begin + (use-modules (gnu system setuid)) + + (activate-setuid-programs (list #$@programs)))))) + +(define (setuid-program-file-like-deprecated file-like) + (match file-like + ((? file-like? program) + (warning + (G_ "representing setuid programs with '~a' is \ +deprecated; use 'setuid-program' instead~%") program) + (setuid-program (program program))) + ((? setuid-program? program) + program))) + (define setuid-program-service-type (service-type (name 'setuid-program) (extensions (list (service-extension activation-service-type - (lambda (programs) - #~(activate-setuid-programs - (list #$@programs)))))) + setuid-program->activation-gexp))) (compose concatenate) - (extend append) + (extend (lambda (config extensions) + (map setuid-program-file-like-deprecated + (append config extensions)))) (description "Populate @file{/run/setuid-programs} with the specified executables, making them setuid-root."))) diff --git a/gnu/system.scm b/gnu/system.scm index 8a3ae27d04..96b45ede96 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -7,7 +7,7 @@ ;;; Copyright © 2019 Meiyo Peng ;;; Copyright © 2019, 2020 Miguel Ángel Arruga Vivas ;;; Copyright © 2020 Danny Milosavljevic -;;; Copyright © 2020 Brice Waegeneire +;;; Copyright © 2020, 2021 Brice Waegeneire ;;; Copyright © 2020 Florian Pelz ;;; Copyright © 2020 Maxim Cournoyer ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen @@ -74,6 +74,7 @@ #:use-module (gnu system locale) #:use-module (gnu system pam) #:use-module (gnu system linux-initrd) + #:use-module (gnu system setuid) #:use-module (gnu system uuid) #:use-module (gnu system file-systems) #:use-module (gnu system mapped-devices) @@ -267,7 +268,7 @@ (pam-services operating-system-pam-services ; list of PAM services (default (base-pam-services))) - (setuid-programs operating-system-setuid-programs + (setuid-programs %operating-system-setuid-programs (default %setuid-programs)) ; list of string-valued gexps (sudoers-file operating-system-sudoers-file ; file-like @@ -671,7 +672,7 @@ bookkeeping." (operating-system-environment-variables os)) host-name procs root-fs (service setuid-program-service-type - (operating-system-setuid-programs os)) + (%operating-system-setuid-programs os)) (service profile-service-type (operating-system-packages os)) other-fs @@ -701,7 +702,7 @@ bookkeeping." (pam-root-service (operating-system-pam-services os)) (operating-system-etc-service os) (service setuid-program-service-type - (operating-system-setuid-programs os)) + (%operating-system-setuid-programs os)) (service profile-service-type (operating-system-packages os))))) (define* (operating-system-services os) @@ -1065,6 +1066,11 @@ use 'plain-file' instead~%") ;; TODO: Remove when glibc@2.23 is long gone. ("GUIX_LOCPATH" . "/run/current-system/locale"))) +(define (operating-system-setuid-programs os) + "Return the setuid programs for OS, as a list of setuid-program record." + (map file-like->setuid-program + (%operating-system-setuid-programs os))) + (define %setuid-programs ;; Default set of setuid-root programs. (let ((shadow (@ (gnu packages admin) shadow))) diff --git a/gnu/system/setuid.scm b/gnu/system/setuid.scm new file mode 100644 index 0000000000..e8b9c0df81 --- /dev/null +++ b/gnu/system/setuid.scm @@ -0,0 +1,57 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2021 Brice Waegeneire +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu system setuid) + #:use-module (guix records) + #:export (setuid-program + setuid-program? + setuid-program-program + setuid-program-setuid? + setuid-program-setgid? + setuid-program-user + setuid-program-group + + file-like->setuid-program)) + +;;; Commentary: +;;; +;;; Data structures representing setuid/setgid programs. This is meant to be +;;; used both on the host side and at run time--e.g., in activation snippets. +;;; +;;; Code: + +(define-record-type* + setuid-program make-setuid-program + setuid-program? + ;; Path to program to link with setuid permissions + (program setuid-program-program) ;file-like + ;; Whether to set user setuid bit + (setuid? setuid-program-setuid? ;boolean + (default #t)) + ;; Whether to set user setgid bit + (setgid? setuid-program-setgid? ;boolean + (default #f)) + ;; The user this should be set to (defaults to root) + (user setuid-program-user ;integer or string + (default 0)) + ;; Group we want to set this to (defaults to root) + (group setuid-program-group ;integer or string + (default 0))) + +(define (file-like->setuid-program program) + (setuid-program (program program))) -- 2.31.1 From unknown Sun Jun 15 08:37:06 2025 X-Loop: help-debbugs@gnu.org Subject: bug#44770: [PATCH v2 0/2] services: setuid: More configurable setuid support. Resent-From: Chris Lemmer-Webber Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Mon, 05 Jul 2021 15:19:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44770 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: Brice Waegeneire Cc: 44770@debbugs.gnu.org Received: via spool by 44770-submit@debbugs.gnu.org id=B44770.162549834114952 (code B ref 44770); Mon, 05 Jul 2021 15:19:02 +0000 Received: (at 44770) by debbugs.gnu.org; 5 Jul 2021 15:19:01 +0000 Received: from localhost ([127.0.0.1]:46461 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1m0QNB-0003t6-4v for submit@debbugs.gnu.org; Mon, 05 Jul 2021 11:19:01 -0400 Received: from dustycloud.org ([50.116.34.160]:59606) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1m0QN8-0003sw-J6 for 44770@debbugs.gnu.org; Mon, 05 Jul 2021 11:18:59 -0400 Received: from twig (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id E7E5726714; Mon, 5 Jul 2021 11:18:57 -0400 (EDT) References: <20210703162243.5253-1-brice@waegenei.re> User-agent: mu4e 1.4.15; emacs 27.2 From: Chris Lemmer-Webber In-reply-to: <20210703162243.5253-1-brice@waegenei.re> Date: Mon, 05 Jul 2021 11:18:57 -0400 Message-ID: <87fswsg55q.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Ooh! Taking a look! Brice Waegeneire writes: > Hello Christopher, > > Some times ago I continued your patch from where you left it. If I recall > correctly it should address all the suggestions from Ludo' and Maxim. I'm > using it for several month now without any issue. > > Thank your for your work on this issue Christopher! Thank you! A request... could you rename my name in the patches to Chris Lemmer-Webber? There have been some recent changes: https://dustycloud.org/blog/nonbinary-trans-femme/ "-topher" is now a deprecated suffix and I am moving to consistency with my spouse in having a dash in my last name. :) > Cheers, > - Brice > > Brice Waegeneire (1): > services: Migrate to . > > Christopher Lemmer Webber (1): > services: setuid: More configurable setuid support. > > gnu/build/activation.scm | 38 ++++++++++++++++++++------- > gnu/services.scm | 45 ++++++++++++++++++++++++++++--- > gnu/services/dbus.scm | 13 ++++++--- > gnu/services/desktop.scm | 26 +++++++++++------- > gnu/services/docker.scm | 9 ++++--- > gnu/services/xorg.scm | 4 ++- > gnu/system.scm | 45 +++++++++++++++++-------------- > gnu/system/setuid.scm | 57 ++++++++++++++++++++++++++++++++++++++++ > 8 files changed, 186 insertions(+), 51 deletions(-) > create mode 100644 gnu/system/setuid.scm From unknown Sun Jun 15 08:37:06 2025 X-Loop: help-debbugs@gnu.org Subject: bug#44770: [PATCH v2 1/2] services: setuid: More configurable setuid support. Resent-From: Chris Lemmer-Webber Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Mon, 05 Jul 2021 15:25:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44770 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: Brice Waegeneire Cc: 44770@debbugs.gnu.org Received: via spool by 44770-submit@debbugs.gnu.org id=B44770.162549866115628 (code B ref 44770); Mon, 05 Jul 2021 15:25:01 +0000 Received: (at 44770) by debbugs.gnu.org; 5 Jul 2021 15:24:21 +0000 Received: from localhost ([127.0.0.1]:46471 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1m0QSD-00043u-Ua for submit@debbugs.gnu.org; Mon, 05 Jul 2021 11:24:21 -0400 Received: from dustycloud.org ([50.116.34.160]:59610) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1m0QSA-00043j-Sy for 44770@debbugs.gnu.org; Mon, 05 Jul 2021 11:24:13 -0400 Received: from twig (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id DDE4226714; Mon, 5 Jul 2021 11:24:09 -0400 (EDT) References: <20210703162243.5253-2-brice@waegenei.re> User-agent: mu4e 1.4.15; emacs 27.2 From: Chris Lemmer-Webber In-reply-to: <20210703162243.5253-2-brice@waegenei.re> Date: Mon, 05 Jul 2021 11:24:09 -0400 Message-ID: <8735ssg4x2.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Brice Waegeneire writes: > From: Christopher Lemmer Webber > > New record with fields for setting the specific user > and group, as well as specifically selecting the setuid and setgid bits, > for a program within the setuid-program-service. > > * gnu/services.scm (setuid-program-file-like-deprecated): New function. > (setuid-program-service-type): Make use of > setuid-program->activation-gexp. Adjust the extend property to handle > . > * gnu/build/activation.scm (activate-setuid-programs): Update to expect a > list for each program entry. > * gnu/system.scm: (operating-system-setuid-programs): Renamed to > %operating-system-setuid-programs and replace it with new procedure. > (operating-system-default-essential-services, > hurd-default-essential-services): Replace > operating-system-setuid-programs with %operating-system-setuid-programs. Should fix the indentation here for consistency. Might have been my fault. > * gnu/system/setuid.scm: New file. > > Co-authored-by: Brice Waegeneire > --- > gnu/build/activation.scm | 38 ++++++++++++++++++++------- > gnu/services.scm | 45 ++++++++++++++++++++++++++++--- > gnu/system.scm | 14 +++++++--- > gnu/system/setuid.scm | 57 ++++++++++++++++++++++++++++++++++++++++ > 4 files changed, 136 insertions(+), 18 deletions(-) > create mode 100644 gnu/system/setuid.scm > > diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm > index 2af1d44b5f..ab9255d095 100644 > --- a/gnu/build/activation.scm > +++ b/gnu/build/activation.scm > @@ -6,6 +6,8 @@ > ;;; Copyright =C2=A9 2018 Arun Isaac > ;;; Copyright =C2=A9 2018, 2019 Ricardo Wurmus > ;;; Copyright =C2=A9 2021 Maxime Devos > +;;; Copyright =C2=A9 2020 Christopher Lemmer Webber So yeah, change the copyright here too if you don't mind :) > +;;; Copyright =C2=A9 2021 Brice Waegeneire > ;;; > ;;; This file is part of GNU Guix. > ;;; > @@ -24,6 +26,7 @@ >=20=20 > (define-module (gnu build activation) > #:use-module (gnu system accounts) > + #:use-module (gnu system setuid) > #:use-module (gnu build accounts) > #:use-module (gnu build linux-boot) > #:use-module (guix build utils) > @@ -279,14 +282,17 @@ they already exist." > "/run/setuid-programs") >=20=20 > (define (activate-setuid-programs programs) > - "Turn PROGRAMS, a list of file names, into setuid programs stored under > -%SETUID-DIRECTORY." > - (define (make-setuid-program prog) > + "Turn PROGRAMS, a list of file setuid-programs record, into setuid pro= grams > +stored under %SETUID-DIRECTORY." > + (define (make-setuid-program program setuid? setgid? uid gid) > (let ((target (string-append %setuid-directory > - "/" (basename prog)))) > - (copy-file prog target) > - (chown target 0 0) > - (chmod target #o4555))) > + "/" (basename program))) > + (mode (+ #o0555 ; base permissions > + (if setuid? #o4000 0) ; setuid bit > + (if setgid? #o2000 0)))) ; setgid bit > + (copy-file program target) > + (chown target uid gid) > + (chmod target mode))) >=20=20 > (format #t "setting up setuid programs in '~a'...~%" > %setuid-directory) > @@ -302,15 +308,27 @@ they already exist." > (for-each (lambda (program) > (catch 'system-error > (lambda () > - (make-setuid-program program)) > + (let* ((program-name (setuid-program-program program)) > + (setuid? (setuid-program-setuid? program)) > + (setgid? (setuid-program-setgid? program)) > + (user (setuid-program-user program)) > + (group (setuid-program-group program)) > + (uid (match user > + ((? string?) (passwd:uid (getpwnam user)= )) > + ((? integer?) user))) > + (gid (match group > + ((? string?) (group:gid (getgrnam group)= )) > + ((? integer?) group)))) > + (make-setuid-program program-name setuid? setgid? ui= d gid))) Oh, looks like you got rid of my match here. I guess it wasn't needed to deconstruct the arguments and reconstruct them the way I had? Oh, it looks like this is what Ludo suggested. Well nice job pulling it off then :) > (lambda args > ;; If we fail to create a setuid program, better keep = going > ;; so that we don't leave %SETUID-DIRECTORY empty or > ;; half-populated. This can happen if PROGRAMS contai= ns > ;; incorrect file names: . > (format (current-error-port) > - "warning: failed to make '~a' setuid-root: ~a~= %" > - program (strerror (system-error-errno args))))= )) > + "warning: failed to make ~s setuid/setgid: ~a~= %" > + (setuid-program-program program) > + (strerror (system-error-errno args)))))) > programs)) >=20=20 > (define (activate-special-files special-files) > diff --git a/gnu/services.scm b/gnu/services.scm > index 8d413e198e..2f5f67b3a1 100644 > --- a/gnu/services.scm > +++ b/gnu/services.scm > @@ -4,6 +4,8 @@ > ;;; Copyright =C2=A9 2020 Jan (janneke) Nieuwenhuizen > ;;; Copyright =C2=A9 2020, 2021 Ricardo Wurmus > ;;; Copyright =C2=A9 2021 raid5atemyhomework > +;;; Copyright =C2=A9 2020 Christopher Lemmer Webber Name change here too please...! > +;;; Copyright =C2=A9 2020, 2021 Brice Waegeneire > ;;; > ;;; This file is part of GNU Guix. > ;;; > @@ -40,6 +42,7 @@ > #:use-module (gnu packages base) > #:use-module (gnu packages bash) > #:use-module (gnu packages hurd) > + #:use-module (gnu system setuid) > #:use-module (srfi srfi-1) > #:use-module (srfi srfi-9) > #:use-module (srfi srfi-9 gnu) > @@ -801,15 +804,49 @@ directory." > FILES must be a list of name/file-like object pairs." > (service etc-service-type files)) >=20=20 > +(define (setuid-program->activation-gexp programs) > + "Return an activation gexp for setuid-program from PROGRAMS." > + (let ((programs (map (lambda (program) > + ;; FIXME This is really ugly, I didn't managed = to use > + ;; "inherit" > + (let ((program-name (setuid-program-program pro= gram)) > + (setuid? (setuid-program-setuid? pro= gram)) > + (setgid? (setuid-program-setgid? pro= gram)) > + (user (setuid-program-user progra= m)) > + (group (setuid-program-group progr= am)) ) > + #~(setuid-program > + (setuid? #$setuid?) > + (setgid? #$setgid?) > + (user #$user) > + (group #$group) > + (program #$program-name)))) > + programs))) > + (with-imported-modules (source-module-closure > + '((gnu system setuid))) > + #~(begin > + (use-modules (gnu system setuid)) > + > + (activate-setuid-programs (list #$@programs)))))) > + > +(define (setuid-program-file-like-deprecated file-like) > + (match file-like > + ((? file-like? program) > + (warning > + (G_ "representing setuid programs with '~a' is \ > +deprecated; use 'setuid-program' instead~%") program) > + (setuid-program (program program))) > + ((? setuid-program? program) > + program))) > + > (define setuid-program-service-type > (service-type (name 'setuid-program) > (extensions > (list (service-extension activation-service-type > - (lambda (programs) > - #~(activate-setuid-programs > - (list #$@programs)))))) > + setuid-program->activation-gex= p))) > (compose concatenate) > - (extend append) > + (extend (lambda (config extensions) > + (map setuid-program-file-like-deprecated > + (append config extensions)))) > (description > "Populate @file{/run/setuid-programs} with the specified > executables, making them setuid-root."))) > diff --git a/gnu/system.scm b/gnu/system.scm > index 8a3ae27d04..96b45ede96 100644 > --- a/gnu/system.scm > +++ b/gnu/system.scm > @@ -7,7 +7,7 @@ > ;;; Copyright =C2=A9 2019 Meiyo Peng > ;;; Copyright =C2=A9 2019, 2020 Miguel =C3=81ngel Arruga Vivas > ;;; Copyright =C2=A9 2020 Danny Milosavljevic > -;;; Copyright =C2=A9 2020 Brice Waegeneire > +;;; Copyright =C2=A9 2020, 2021 Brice Waegeneire > ;;; Copyright =C2=A9 2020 Florian Pelz > ;;; Copyright =C2=A9 2020 Maxim Cournoyer > ;;; Copyright =C2=A9 2020 Jan (janneke) Nieuwenhuizen > @@ -74,6 +74,7 @@ > #:use-module (gnu system locale) > #:use-module (gnu system pam) > #:use-module (gnu system linux-initrd) > + #:use-module (gnu system setuid) > #:use-module (gnu system uuid) > #:use-module (gnu system file-systems) > #:use-module (gnu system mapped-devices) > @@ -267,7 +268,7 @@ >=20=20 > (pam-services operating-system-pam-services ; list of PAM services > (default (base-pam-services))) > - (setuid-programs operating-system-setuid-programs > + (setuid-programs %operating-system-setuid-programs > (default %setuid-programs)) ; list of string-value= d gexps >=20=20 > (sudoers-file operating-system-sudoers-file ; file-like > @@ -671,7 +672,7 @@ bookkeeping." > (operating-system-environment-variables os)) > host-name procs root-fs > (service setuid-program-service-type > - (operating-system-setuid-programs os)) > + (%operating-system-setuid-programs os)) > (service profile-service-type > (operating-system-packages os)) > other-fs > @@ -701,7 +702,7 @@ bookkeeping." > (pam-root-service (operating-system-pam-services os)) > (operating-system-etc-service os) > (service setuid-program-service-type > - (operating-system-setuid-programs os)) > + (%operating-system-setuid-programs os)) > (service profile-service-type (operating-system-packages os)))= )) >=20=20 > (define* (operating-system-services os) > @@ -1065,6 +1066,11 @@ use 'plain-file' instead~%") > ;; TODO: Remove when glibc@2.23 is long gone. > ("GUIX_LOCPATH" . "/run/current-system/locale"))) >=20=20 > +(define (operating-system-setuid-programs os) > + "Return the setuid programs for OS, as a list of setuid-program record= ." > + (map file-like->setuid-program > + (%operating-system-setuid-programs os))) > + > (define %setuid-programs > ;; Default set of setuid-root programs. > (let ((shadow (@ (gnu packages admin) shadow))) > diff --git a/gnu/system/setuid.scm b/gnu/system/setuid.scm > new file mode 100644 > index 0000000000..e8b9c0df81 > --- /dev/null > +++ b/gnu/system/setuid.scm > @@ -0,0 +1,57 @@ > +;;; GNU Guix --- Functional package management for GNU > +;;; Copyright =C2=A9 2021 Brice Waegeneire > +;;; > +;;; This file is part of GNU Guix. > +;;; > +;;; GNU Guix is free software; you can redistribute it and/or modify it > +;;; under the terms of the GNU General Public License as published by > +;;; the Free Software Foundation; either version 3 of the License, or (at > +;;; your option) any later version. > +;;; > +;;; GNU Guix is distributed in the hope that it will be useful, but > +;;; WITHOUT ANY WARRANTY; without even the implied warranty of > +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > +;;; GNU General Public License for more details. > +;;; > +;;; You should have received a copy of the GNU General Public License > +;;; along with GNU Guix. If not, see . > + > +(define-module (gnu system setuid) > + #:use-module (guix records) > + #:export (setuid-program > + setuid-program? > + setuid-program-program > + setuid-program-setuid? > + setuid-program-setgid? > + setuid-program-user > + setuid-program-group > + > + file-like->setuid-program)) > + > +;;; Commentary: > +;;; > +;;; Data structures representing setuid/setgid programs. This is meant = to be > +;;; used both on the host side and at run time--e.g., in activation snip= pets. > +;;; > +;;; Code: > + > +(define-record-type* > + setuid-program make-setuid-program > + setuid-program? > + ;; Path to program to link with setuid permissions > + (program setuid-program-program) ;file-like > + ;; Whether to set user setuid bit > + (setuid? setuid-program-setuid? ;boolean > + (default #t)) > + ;; Whether to set user setgid bit > + (setgid? setuid-program-setgid? ;boolean > + (default #f)) > + ;; The user this should be set to (defaults to root) > + (user setuid-program-user ;integer or string > + (default 0)) > + ;; Group we want to set this to (defaults to root) > + (group setuid-program-group ;integer or string > + (default 0))) > + > +(define (file-like->setuid-program program) > + (setuid-program (program program))) From unknown Sun Jun 15 08:37:06 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: =?UTF-8?Q?=E7=A9=8D=E4=B8=B9=E5=B0=BC?= Dan Jacobson Subject: bug#44770: closed (chown: warn when encountering deprecated dot separator) Message-ID: References: <87zh3b918i.5.fsf@jidanni.org> X-Gnu-PR-Message: they-closed 44770 X-Gnu-PR-Package: coreutils Reply-To: 44770@debbugs.gnu.org Date: Fri, 25 Feb 2022 02:24:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1645755842-21716-1" This is a multi-part message in MIME format... ------------=_1645755842-21716-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #44770: chown: warn when encountering deprecated dot separator which was filed against the coreutils package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 44770@debbugs.gnu.org. --=20 44770: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D44770 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1645755842-21716-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 44770-done) by debbugs.gnu.org; 25 Feb 2022 02:23:51 +0000 Received: from localhost ([127.0.0.1]:50858 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nNQGt-0005dn-AR for submit@debbugs.gnu.org; Thu, 24 Feb 2022 21:23:51 -0500 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:56882) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nNQGq-0005dY-On for 44770-done@debbugs.gnu.org; Thu, 24 Feb 2022 21:23:49 -0500 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id BDCB7160079; Thu, 24 Feb 2022 18:23:42 -0800 (PST) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id sTsMij0YM0R2; Thu, 24 Feb 2022 18:23:41 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id BCCC616007E; Thu, 24 Feb 2022 18:23:41 -0800 (PST) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id mvcIVhbD7TqZ; Thu, 24 Feb 2022 18:23:41 -0800 (PST) Received: from [131.179.64.200] (Penguin.CS.UCLA.EDU [131.179.64.200]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 9CB4C160079; Thu, 24 Feb 2022 18:23:41 -0800 (PST) Content-Type: multipart/mixed; boundary="------------O1NREHz3UGnn3muNIEfyg2kk" Message-ID: Date: Thu, 24 Feb 2022 18:23:38 -0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0 Content-Language: en-US To: Dan Jacobson From: Paul Eggert Subject: chown: warn when encountering deprecated dot separator Organization: UCLA Computer Science Department X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 44770-done Cc: 44770-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) This is a multi-part message in MIME format. --------------O1NREHz3UGnn3muNIEfyg2kk Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Thanks for the suggestion. I installed the attached patches to do that. --------------O1NREHz3UGnn3muNIEfyg2kk Content-Type: text/x-patch; charset=UTF-8; name="0001-build-update-gnulib-submodule-to-latest.patch" Content-Disposition: attachment; filename="0001-build-update-gnulib-submodule-to-latest.patch" Content-Transfer-Encoding: base64 RnJvbSAzMjBiM2Y4Yzk2ZmM2OTY3MDQ3NWM3YTM5ZDU4MThjNWI0NzU1OTEyIE1vbiBTZXAg MTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBQYXVsIEVnZ2VydCA8ZWdnZXJ0QGNzLnVjbGEuZWR1 PgpEYXRlOiBUaHUsIDI0IEZlYiAyMDIyIDE4OjA1OjAzIC0wODAwClN1YmplY3Q6IFtQQVRD SCAxLzJdIGJ1aWxkOiB1cGRhdGUgZ251bGliIHN1Ym1vZHVsZSB0byBsYXRlc3QKCi0tLQog Z251bGliIHwgMiArLQogMSBmaWxlIGNoYW5nZWQsIDEgaW5zZXJ0aW9uKCspLCAxIGRlbGV0 aW9uKC0pCgpkaWZmIC0tZ2l0IGEvZ251bGliIGIvZ251bGliCmluZGV4IDA2YjJlOTQzYi4u MjNjY2E4MjY4IDE2MDAwMAotLS0gYS9nbnVsaWIKKysrIGIvZ251bGliCkBAIC0xICsxIEBA Ci1TdWJwcm9qZWN0IGNvbW1pdCAwNmIyZTk0M2JlMzkyODQ3ODNmZjgxYWM2Yzk1MDMyMDBm NDFkYmEzCitTdWJwcm9qZWN0IGNvbW1pdCAyM2NjYTgyNjhkMjFmNWQ1OGVkMDIwOTAwMmQ1 NjczZDA1MThjNDI2Ci0tIAoyLjM1LjEKCg== --------------O1NREHz3UGnn3muNIEfyg2kk Content-Type: text/x-patch; charset=UTF-8; name="0002-chown-warn-about-USER.GROUP.patch" Content-Disposition: attachment; filename="0002-chown-warn-about-USER.GROUP.patch" Content-Transfer-Encoding: base64 RnJvbSBhYWMyYTNjZmY0Zjk0ZGY4OTk0ODNkYTc5NjNmNGZjOTgzYzdjNmIwIE1vbiBTZXAg MTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBQYXVsIEVnZ2VydCA8ZWdnZXJ0QGNzLnVjbGEuZWR1 PgpEYXRlOiBUaHUsIDI0IEZlYiAyMDIyIDE4OjE3OjIzIC0wODAwClN1YmplY3Q6IFtQQVRD SCAyLzJdIGNob3duOiB3YXJuIGFib3V0IFVTRVIuR1JPVVAKClN1Z2dlc3RlZCBieSBEYW4g SmFjb2Jzb24gKEJ1ZyM0NDc3MCkuCiogc3JjL2Nob3duLmMsIHNyYy9jaHJvb3QuYyAobWFp bik6Cklzc3VlIHdhcm5pbmdzIGlmIG9ic29sZXRlIFVTRVIuR1JPVVAgbm90YXRpb24gaXMg cHJlc2VudC4KLS0tCiBORVdTICAgICAgICAgICAgICAgfCAgNSArKysrKwogZG9jL2NvcmV1 dGlscy50ZXhpIHwgIDMgKystCiBzcmMvY2hvd24uYyAgICAgICAgfCAxNyArKysrKysrKysr LS0tLS0tLQogc3JjL2Nocm9vdC5jICAgICAgIHwgIDkgKysrKystLS0tCiA0IGZpbGVzIGNo YW5nZWQsIDIyIGluc2VydGlvbnMoKyksIDEyIGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBh L05FV1MgYi9ORVdTCmluZGV4IGVlYzcwNWIyZi4uYWY2NTk2YjA2IDEwMDY0NAotLS0gYS9O RVdTCisrKyBiL05FV1MKQEAgLTUxLDYgKzUxLDExIEBAIEdOVSBjb3JldXRpbHMgTkVXUyAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC0qLSBvdXRsaW5lIC0qLQogICBz aW1wbGUgY29waWVzIGJldHdlZW4gcmVndWxhciBmaWxlcy4gIFRoaXMgbWF5IGJlIG1vcmUg ZWZmaWNpZW50LCBieSBhdm9pZGluZwogICB1c2VyIHNwYWNlIGNvcGllcywgYW5kIHBvc3Np Ymx5IGVtcGxveWluZyBjb3B5IG9mZmxvYWRpbmcgb3IgcmVmbGlua2luZy4KIAorICBjaG93 biBhbmQgY2hyb290IG5vdyB3YXJuIGFib3V0IHVzYWdlcyBsaWtlICJjaG93biByb290LnJv b3QgZiIsCisgIHdoaWNoIGhhdmUgdGhlIG5vbnN0YW5kYXJkIGFuZCBsb25nLW9ic29sZXRl ICIuIiBzZXBhcmF0b3IgdGhhdAorICBjYXVzZXMgcHJvYmxlbXMgb24gcGxhdGZvcm1zIHdo ZXJlIHVzZXIgbmFtZXMgY29udGFpbiAiLiIuCisgIEFwcGxpY2F0aW9ucyBzaG91bGQgdXNl ICI6IiBpbnN0ZWFkIG9mICIuIi4KKwogICBja3N1bSBubyBsb25nZXIgYWxsb3dzIGFiYnJl dmlhdGVkIGFsZ29yaXRobSBuYW1lcywKICAgc28gdGhhdCBmb3J3YXJkIGNvbXBhdGliaWxp dHkgYW5kIHJvYnVzdG5lc3MgaXMgaW1wcm92ZWQuCiAKZGlmZiAtLWdpdCBhL2RvYy9jb3Jl dXRpbHMudGV4aSBiL2RvYy9jb3JldXRpbHMudGV4aQppbmRleCA2NDE2ODBlMTEuLmU5YmUw OTkzYSAxMDA2NDQKLS0tIGEvZG9jL2NvcmV1dGlscy50ZXhpCisrKyBiL2RvYy9jb3JldXRp bHMudGV4aQpAQCAtMTEzMTgsNyArMTEzMTgsOCBAQCBvciBncm91cCBJRCwgdGhlbiB5b3Ug bWF5IHNwZWNpZnkgaXQgd2l0aCBhIGxlYWRpbmcgQHNhbXB7K30uCiBTb21lIG9sZGVyIHNj cmlwdHMgbWF5IHN0aWxsIHVzZSBAc2FtcHsufSBpbiBwbGFjZSBvZiB0aGUgQHNhbXB7On0g c2VwYXJhdG9yLgogUE9TSVggMTAwMy4xLTIwMDEgKEBweHJlZntTdGFuZGFyZHMgY29uZm9y bWFuY2V9KSBkb2VzIG5vdAogcmVxdWlyZSBzdXBwb3J0IGZvciB0aGF0LCBidXQgZm9yIGJh Y2t3YXJkIGNvbXBhdGliaWxpdHkgR05VCi1AY29tbWFuZHtjaG93bn0gc3VwcG9ydHMgQHNh bXB7Ln0gc28gbG9uZyBhcyBubyBhbWJpZ3VpdHkgcmVzdWx0cy4KK0Bjb21tYW5ke2Nob3du fSBzdXBwb3J0cyBAc2FtcHsufSBzbyBsb25nIGFzIG5vIGFtYmlndWl0eSByZXN1bHRzLAor YWx0aG91Z2ggaXQgaXNzdWVzIGEgd2FybmluZyBhbmQgc3VwcG9ydCBtYXkgYmUgcmVtb3Zl ZCBpbiBmdXR1cmUgdmVyc2lvbnMuCiBOZXcgc2NyaXB0cyBzaG91bGQgYXZvaWQgdGhlIHVz ZSBvZiBAc2FtcHsufSBiZWNhdXNlIGl0IGlzIG5vdAogcG9ydGFibGUsIGFuZCBiZWNhdXNl IGl0IGhhcyB1bmRlc2lyYWJsZSByZXN1bHRzIGlmIHRoZSBlbnRpcmUKIEB2YXJ7b3duZXJA c2FtcHsufWdyb3VwfSBoYXBwZW5zIHRvIGlkZW50aWZ5IGEgdXNlciB3aG9zZSBuYW1lCmRp ZmYgLS1naXQgYS9zcmMvY2hvd24uYyBiL3NyYy9jaG93bi5jCmluZGV4IDMyOWIwZjRkYy4u MDdjYzkwN2E0IDEwMDY0NAotLS0gYS9zcmMvY2hvd24uYworKysgYi9zcmMvY2hvd24uYwpA QCAtMjI3LDExICsyMjcsMTIgQEAgbWFpbiAoaW50IGFyZ2MsIGNoYXIgKiphcmd2KQogCiAg ICAgICAgIGNhc2UgRlJPTV9PUFRJT046CiAgICAgICAgICAgewotICAgICAgICAgICAgY2hh ciBjb25zdCAqZSA9IHBhcnNlX3VzZXJfc3BlYyAob3B0YXJnLAotICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJnJlcXVpcmVkX3VpZCwgJnJlcXVpcmVk X2dpZCwKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5V TEwsIE5VTEwpOworICAgICAgICAgICAgYm9vbCB3YXJuOworICAgICAgICAgICAgY2hhciBj b25zdCAqZSA9IHBhcnNlX3VzZXJfc3BlY193YXJuIChvcHRhcmcsCisgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICZyZXF1aXJlZF91aWQsICZy ZXF1aXJlZF9naWQsCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIE5VTEwsIE5VTEwsICZ3YXJuKTsKICAgICAgICAgICAgIGlmIChlKQotICAg ICAgICAgICAgICBkaWUgKEVYSVRfRkFJTFVSRSwgMCwgIiVzOiAlcyIsIGUsIHF1b3RlIChv cHRhcmcpKTsKKyAgICAgICAgICAgICAgZXJyb3IgKHdhcm4gPyAwIDogRVhJVF9GQUlMVVJF LCAwLCAiJXM6ICVzIiwgZSwgcXVvdGUgKG9wdGFyZykpOwogICAgICAgICAgICAgYnJlYWs7 CiAgICAgICAgICAgfQogCkBAIC0yOTcsMTAgKzI5OCwxMiBAQCBtYWluIChpbnQgYXJnYywg Y2hhciAqKmFyZ3YpCiAgICAgfQogICBlbHNlCiAgICAgewotICAgICAgY2hhciBjb25zdCAq ZSA9IHBhcnNlX3VzZXJfc3BlYyAoYXJndltvcHRpbmRdLCAmdWlkLCAmZ2lkLAotICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJmNob3B0LnVzZXJfbmFtZSwgJmNo b3B0Lmdyb3VwX25hbWUpOworICAgICAgYm9vbCB3YXJuOworICAgICAgY2hhciBjb25zdCAq ZSA9IHBhcnNlX3VzZXJfc3BlY193YXJuIChhcmd2W29wdGluZF0sICZ1aWQsICZnaWQsCisg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICZjaG9wdC51c2Vy X25hbWUsCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICZj aG9wdC5ncm91cF9uYW1lLCAmd2Fybik7CiAgICAgICBpZiAoZSkKLSAgICAgICAgZGllIChF WElUX0ZBSUxVUkUsIDAsICIlczogJXMiLCBlLCBxdW90ZSAoYXJndltvcHRpbmRdKSk7Cisg ICAgICAgIGVycm9yICh3YXJuID8gMCA6IEVYSVRfRkFJTFVSRSwgMCwgIiVzOiAlcyIsIGUs IHF1b3RlIChhcmd2W29wdGluZF0pKTsKIAogICAgICAgLyogSWYgYSBncm91cCBpcyBzcGVj aWZpZWQgYnV0IG5vIHVzZXIsIHNldCB0aGUgdXNlciBuYW1lIHRvIHRoZQogICAgICAgICAg ZW1wdHkgc3RyaW5nIHNvIHRoYXQgZGlhZ25vc3RpY3Mgc2F5ICJvd25lcnNoaXAgOkdST1VQ IgpkaWZmIC0tZ2l0IGEvc3JjL2Nocm9vdC5jIGIvc3JjL2Nocm9vdC5jCmluZGV4IDFjZDA0 MzAwYy4uYmU5NjAxMzA0IDEwMDY0NAotLS0gYS9zcmMvY2hyb290LmMKKysrIGIvc3JjL2No cm9vdC5jCkBAIC0zNTQsMTAgKzM1NCwxMSBAQCBtYWluIChpbnQgYXJnYywgY2hhciAqKmFy Z3YpCiAgICAgIERpYWdub3NlIGFueSBmYWlsdXJlcy4gIElmIGFueSBoYXZlIGZhaWxlZCwg ZXhpdCBiZWZvcmUgZXhlY3ZwLiAgKi8KICAgaWYgKHVzZXJzcGVjKQogICAgIHsKLSAgICAg IGNoYXIgY29uc3QgKmVyciA9IHBhcnNlX3VzZXJfc3BlYyAodXNlcnNwZWMsICZ1aWQsICZn aWQsIE5VTEwsIE5VTEwpOwotCi0gICAgICBpZiAoZXJyICYmIHVpZF91bnNldCAodWlkKSAm JiBnaWRfdW5zZXQgKGdpZCkpCi0gICAgICAgIGRpZSAoRVhJVF9DQU5DRUxFRCwgZXJybm8s ICIlcyIsIChlcnIpKTsKKyAgICAgIGJvb2wgd2FybjsKKyAgICAgIGNoYXIgY29uc3QgKmVy ciA9IHBhcnNlX3VzZXJfc3BlY193YXJuICh1c2Vyc3BlYywgJnVpZCwgJmdpZCwKKyAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOVUxMLCBOVUxMLCAm d2Fybik7CisgICAgICBpZiAoZXJyKQorICAgICAgICBlcnJvciAod2FybiA/IDAgOiBFWElU X0NBTkNFTEVELCAwLCAiJXMiLCBlcnIpOwogICAgIH0KIAogICAvKiBJZiBubyBnaWQgaXMg c3VwcGxpZWQgb3IgbG9va2VkIHVwLCBkbyBzbyBub3cuCi0tIAoyLjM1LjEKCg== --------------O1NREHz3UGnn3muNIEfyg2kk-- ------------=_1645755842-21716-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 20 Nov 2020 21:18:11 +0000 Received: from localhost ([127.0.0.1]:44408 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kgDnG-0006nr-Kl for submit@debbugs.gnu.org; Fri, 20 Nov 2020 16:18:10 -0500 Received: from lists.gnu.org ([209.51.188.17]:48624) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kgDnF-0006nk-OQ for submit@debbugs.gnu.org; Fri, 20 Nov 2020 16:18:10 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:43544) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kgDnF-0003my-GO for bug-coreutils@gnu.org; Fri, 20 Nov 2020 16:18:09 -0500 Received: from cyan.elm.relay.mailchannels.net ([23.83.212.47]:8873) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kgDnD-0006a4-0n for bug-coreutils@gnu.org; Fri, 20 Nov 2020 16:18:09 -0500 X-Sender-Id: dreamhost|x-authsender|jidanni@jidanni.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 778CE780101 for ; Fri, 20 Nov 2020 21:17:54 +0000 (UTC) Received: from pdx1-sub0-mail-a45.g.dreamhost.com (100-96-5-201.trex.outbound.svc.cluster.local [100.96.5.201]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 0B3917800C6 for ; Fri, 20 Nov 2020 21:17:54 +0000 (UTC) X-Sender-Id: dreamhost|x-authsender|jidanni@jidanni.org Received: from pdx1-sub0-mail-a45.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.18.10); Fri, 20 Nov 2020 21:17:54 +0000 X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|jidanni@jidanni.org X-MailChannels-Auth-Id: dreamhost X-Soft-Madly: 0ac6f0c46bec963c_1605907074270_3969293261 X-MC-Loop-Signature: 1605907074270:870514291 X-MC-Ingress-Time: 1605907074270 Received: from pdx1-sub0-mail-a45.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a45.g.dreamhost.com (Postfix) with ESMTP id BC1827F05A for ; Fri, 20 Nov 2020 13:17:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=jidanni.org; h=from:to :subject:date:message-id:mime-version:content-type; s= jidanni.org; bh=ILQ6JWKuKGMYbvp8qaEY76d70wk=; b=o6LF+6z2mzmzM0Ih Ke8KgzRI4+HHbC6jUQo9hTiMM0q1mCwwMk+D/r7clBUV/RtF+EnY0t1wYNulXtPP 0LGGQi2p9gzfWQN2Nkrjl6wG+exvhwsqqo1jbWnvOCb0CIdDku/51zt5hSkl3WFI EQONeOItwylxaaNuFgHSSNHwPgU= Received: from jidanni.org (114-41-19-80.dynamic-ip.hinet.net [114.41.19.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: jidanni@jidanni.org) by pdx1-sub0-mail-a45.g.dreamhost.com (Postfix) with ESMTPSA id 82ACB7F058 for ; Fri, 20 Nov 2020 13:17:53 -0800 (PST) X-DH-BACKEND: pdx1-sub0-mail-a45 From: =?utf-8?B?56mN5Li55bC8?= Dan Jacobson To: bug-coreutils@gnu.org Subject: chown: warn about the dot when encountering it Date: Sat, 21 Nov 2020 05:17:49 +0800 Message-ID: <87zh3b918i.5.fsf@jidanni.org> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=23.83.212.47; envelope-from=jidanni@jidanni.org; helo=cyan.elm.relay.mailchannels.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) Maybe print warning messages when encountering the dot, (info "(coreutils) chown invocation") Else Grandpa won't ever know, https://github.com/scop/bash-completion/issues/468 until one day when it's too late... (And his program starts messing things up on some other system.) ------------=_1645755842-21716-1--