Package: coreutils;
Reported by: 積丹尼 Dan Jacobson <jidanni <at> jidanni.org>
Date: Fri, 20 Nov 2020 21:19:02 UTC
Severity: normal
Done: Paul Eggert <eggert <at> cs.ucla.edu>
Bug is archived. No further changes may be made.
View this message in rfc822 format
From: Brice Waegeneire <brice <at> waegenei.re> To: 44770 <at> debbugs.gnu.org Cc: cwebber <at> dustycloud.org, Brice Waegeneire <brice <at> waegenei.re> Subject: bug#44770: [PATCH v2 1/2] services: setuid: More configurable setuid support. Date: Sat, 3 Jul 2021 18:22:42 +0200
From: Christopher Lemmer Webber <cwebber <at> dustycloud.org>
New record <setuid-program> with fields for setting the specific user
and group, as well as specifically selecting the setuid and setgid bits,
for a program within the setuid-program-service.
* gnu/services.scm (setuid-program-file-like-deprecated): New function.
(setuid-program-service-type): Make use of
setuid-program->activation-gexp. Adjust the extend property to handle
<setuid-program>.
* gnu/build/activation.scm (activate-setuid-programs): Update to expect a
<setuid-record> list for each program entry.
* gnu/system.scm: (operating-system-setuid-programs): Renamed to
%operating-system-setuid-programs and replace it with new procedure.
(operating-system-default-essential-services,
hurd-default-essential-services): Replace
operating-system-setuid-programs with %operating-system-setuid-programs.
* gnu/system/setuid.scm: New file.
Co-authored-by: Brice Waegeneire <brice <at> waegenei.re>
---
gnu/build/activation.scm | 38 ++++++++++++++++++++-------
gnu/services.scm | 45 ++++++++++++++++++++++++++++---
gnu/system.scm | 14 +++++++---
gnu/system/setuid.scm | 57 ++++++++++++++++++++++++++++++++++++++++
4 files changed, 136 insertions(+), 18 deletions(-)
create mode 100644 gnu/system/setuid.scm
diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm
index 2af1d44b5f..ab9255d095 100644
--- a/gnu/build/activation.scm
+++ b/gnu/build/activation.scm
@@ -6,6 +6,8 @@
;;; Copyright © 2018 Arun Isaac <arunisaac <at> systemreboot.net>
;;; Copyright © 2018, 2019 Ricardo Wurmus <rekado <at> elephly.net>
;;; Copyright © 2021 Maxime Devos <maximedevos <at> telenet.be>
+;;; Copyright © 2020 Christopher Lemmer Webber <cwebber <at> dustycloud.org>
+;;; Copyright © 2021 Brice Waegeneire <brice <at> waegenei.re>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -24,6 +26,7 @@
(define-module (gnu build activation)
#:use-module (gnu system accounts)
+ #:use-module (gnu system setuid)
#:use-module (gnu build accounts)
#:use-module (gnu build linux-boot)
#:use-module (guix build utils)
@@ -279,14 +282,17 @@ they already exist."
"/run/setuid-programs")
(define (activate-setuid-programs programs)
- "Turn PROGRAMS, a list of file names, into setuid programs stored under
-%SETUID-DIRECTORY."
- (define (make-setuid-program prog)
+ "Turn PROGRAMS, a list of file setuid-programs record, into setuid programs
+stored under %SETUID-DIRECTORY."
+ (define (make-setuid-program program setuid? setgid? uid gid)
(let ((target (string-append %setuid-directory
- "/" (basename prog))))
- (copy-file prog target)
- (chown target 0 0)
- (chmod target #o4555)))
+ "/" (basename program)))
+ (mode (+ #o0555 ; base permissions
+ (if setuid? #o4000 0) ; setuid bit
+ (if setgid? #o2000 0)))) ; setgid bit
+ (copy-file program target)
+ (chown target uid gid)
+ (chmod target mode)))
(format #t "setting up setuid programs in '~a'...~%"
%setuid-directory)
@@ -302,15 +308,27 @@ they already exist."
(for-each (lambda (program)
(catch 'system-error
(lambda ()
- (make-setuid-program program))
+ (let* ((program-name (setuid-program-program program))
+ (setuid? (setuid-program-setuid? program))
+ (setgid? (setuid-program-setgid? program))
+ (user (setuid-program-user program))
+ (group (setuid-program-group program))
+ (uid (match user
+ ((? string?) (passwd:uid (getpwnam user)))
+ ((? integer?) user)))
+ (gid (match group
+ ((? string?) (group:gid (getgrnam group)))
+ ((? integer?) group))))
+ (make-setuid-program program-name setuid? setgid? uid gid)))
(lambda args
;; If we fail to create a setuid program, better keep going
;; so that we don't leave %SETUID-DIRECTORY empty or
;; half-populated. This can happen if PROGRAMS contains
;; incorrect file names: <https://bugs.gnu.org/38800>.
(format (current-error-port)
- "warning: failed to make '~a' setuid-root: ~a~%"
- program (strerror (system-error-errno args))))))
+ "warning: failed to make ~s setuid/setgid: ~a~%"
+ (setuid-program-program program)
+ (strerror (system-error-errno args))))))
programs))
(define (activate-special-files special-files)
diff --git a/gnu/services.scm b/gnu/services.scm
index 8d413e198e..2f5f67b3a1 100644
--- a/gnu/services.scm
+++ b/gnu/services.scm
@@ -4,6 +4,8 @@
;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke <at> gnu.org>
;;; Copyright © 2020, 2021 Ricardo Wurmus <rekado <at> elephly.net>
;;; Copyright © 2021 raid5atemyhomework <raid5atemyhomework <at> protonmail.com>
+;;; Copyright © 2020 Christopher Lemmer Webber <cwebber <at> dustycloud.org>
+;;; Copyright © 2020, 2021 Brice Waegeneire <brice <at> waegenei.re>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -40,6 +42,7 @@
#:use-module (gnu packages base)
#:use-module (gnu packages bash)
#:use-module (gnu packages hurd)
+ #:use-module (gnu system setuid)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-9)
#:use-module (srfi srfi-9 gnu)
@@ -801,15 +804,49 @@ directory."
FILES must be a list of name/file-like object pairs."
(service etc-service-type files))
+(define (setuid-program->activation-gexp programs)
+ "Return an activation gexp for setuid-program from PROGRAMS."
+ (let ((programs (map (lambda (program)
+ ;; FIXME This is really ugly, I didn't managed to use
+ ;; "inherit"
+ (let ((program-name (setuid-program-program program))
+ (setuid? (setuid-program-setuid? program))
+ (setgid? (setuid-program-setgid? program))
+ (user (setuid-program-user program))
+ (group (setuid-program-group program)) )
+ #~(setuid-program
+ (setuid? #$setuid?)
+ (setgid? #$setgid?)
+ (user #$user)
+ (group #$group)
+ (program #$program-name))))
+ programs)))
+ (with-imported-modules (source-module-closure
+ '((gnu system setuid)))
+ #~(begin
+ (use-modules (gnu system setuid))
+
+ (activate-setuid-programs (list #$@programs))))))
+
+(define (setuid-program-file-like-deprecated file-like)
+ (match file-like
+ ((? file-like? program)
+ (warning
+ (G_ "representing setuid programs with '~a' is \
+deprecated; use 'setuid-program' instead~%") program)
+ (setuid-program (program program)))
+ ((? setuid-program? program)
+ program)))
+
(define setuid-program-service-type
(service-type (name 'setuid-program)
(extensions
(list (service-extension activation-service-type
- (lambda (programs)
- #~(activate-setuid-programs
- (list #$@programs))))))
+ setuid-program->activation-gexp)))
(compose concatenate)
- (extend append)
+ (extend (lambda (config extensions)
+ (map setuid-program-file-like-deprecated
+ (append config extensions))))
(description
"Populate @file{/run/setuid-programs} with the specified
executables, making them setuid-root.")))
diff --git a/gnu/system.scm b/gnu/system.scm
index 8a3ae27d04..96b45ede96 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -7,7 +7,7 @@
;;; Copyright © 2019 Meiyo Peng <meiyo.peng <at> gmail.com>
;;; Copyright © 2019, 2020 Miguel Ángel Arruga Vivas <rosen644835 <at> gmail.com>
;;; Copyright © 2020 Danny Milosavljevic <dannym <at> scratchpost.org>
-;;; Copyright © 2020 Brice Waegeneire <brice <at> waegenei.re>
+;;; Copyright © 2020, 2021 Brice Waegeneire <brice <at> waegenei.re>
;;; Copyright © 2020 Florian Pelz <pelzflorian <at> pelzflorian.de>
;;; Copyright © 2020 Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <jannek <at> gnu.org>
@@ -74,6 +74,7 @@
#:use-module (gnu system locale)
#:use-module (gnu system pam)
#:use-module (gnu system linux-initrd)
+ #:use-module (gnu system setuid)
#:use-module (gnu system uuid)
#:use-module (gnu system file-systems)
#:use-module (gnu system mapped-devices)
@@ -267,7 +268,7 @@
(pam-services operating-system-pam-services ; list of PAM services
(default (base-pam-services)))
- (setuid-programs operating-system-setuid-programs
+ (setuid-programs %operating-system-setuid-programs
(default %setuid-programs)) ; list of string-valued gexps
(sudoers-file operating-system-sudoers-file ; file-like
@@ -671,7 +672,7 @@ bookkeeping."
(operating-system-environment-variables os))
host-name procs root-fs
(service setuid-program-service-type
- (operating-system-setuid-programs os))
+ (%operating-system-setuid-programs os))
(service profile-service-type
(operating-system-packages os))
other-fs
@@ -701,7 +702,7 @@ bookkeeping."
(pam-root-service (operating-system-pam-services os))
(operating-system-etc-service os)
(service setuid-program-service-type
- (operating-system-setuid-programs os))
+ (%operating-system-setuid-programs os))
(service profile-service-type (operating-system-packages os)))))
(define* (operating-system-services os)
@@ -1065,6 +1066,11 @@ use 'plain-file' instead~%")
;; TODO: Remove when glibc <at> 2.23 is long gone.
("GUIX_LOCPATH" . "/run/current-system/locale")))
+(define (operating-system-setuid-programs os)
+ "Return the setuid programs for OS, as a list of setuid-program record."
+ (map file-like->setuid-program
+ (%operating-system-setuid-programs os)))
+
(define %setuid-programs
;; Default set of setuid-root programs.
(let ((shadow (@ (gnu packages admin) shadow)))
diff --git a/gnu/system/setuid.scm b/gnu/system/setuid.scm
new file mode 100644
index 0000000000..e8b9c0df81
--- /dev/null
+++ b/gnu/system/setuid.scm
@@ -0,0 +1,57 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2021 Brice Waegeneire <brice <at> waegenei.re>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu system setuid)
+ #:use-module (guix records)
+ #:export (setuid-program
+ setuid-program?
+ setuid-program-program
+ setuid-program-setuid?
+ setuid-program-setgid?
+ setuid-program-user
+ setuid-program-group
+
+ file-like->setuid-program))
+
+;;; Commentary:
+;;;
+;;; Data structures representing setuid/setgid programs. This is meant to be
+;;; used both on the host side and at run time--e.g., in activation snippets.
+;;;
+;;; Code:
+
+(define-record-type* <setuid-program>
+ setuid-program make-setuid-program
+ setuid-program?
+ ;; Path to program to link with setuid permissions
+ (program setuid-program-program) ;file-like
+ ;; Whether to set user setuid bit
+ (setuid? setuid-program-setuid? ;boolean
+ (default #t))
+ ;; Whether to set user setgid bit
+ (setgid? setuid-program-setgid? ;boolean
+ (default #f))
+ ;; The user this should be set to (defaults to root)
+ (user setuid-program-user ;integer or string
+ (default 0))
+ ;; Group we want to set this to (defaults to root)
+ (group setuid-program-group ;integer or string
+ (default 0)))
+
+(define (file-like->setuid-program program)
+ (setuid-program (program program)))
--
2.31.1
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.