Package: guix-patches;
Reported by: Tobias Geerinckx-Rice <me <at> tobias.gr>
Date: Sun, 12 Feb 2023 20:46:01 UTC
Severity: normal
Tags: patch
Done: Tobias Geerinckx-Rice <me <at> tobias.gr>
Bug is archived. No further changes may be made.
View this message in rfc822 format
From: Tobias Geerinckx-Rice <me <at> tobias.gr> To: 61462 <at> debbugs.gnu.org Subject: [bug#61462] [PATCH v2 02/10] services: setuid-program: Populate /run/privileged/bin. Date: Sun, 16 Jul 2023 01:59:52 +0200
Create /run/setuid-programs compatibility symlinks so that we can
migrate all users (both package and human) piecemeal at our leisure.
Apart from being symlinks, this should be a user-invisible change.
* gnu/build/activation.scm (%privileged-program-directory): New variable.
[activate-setuid-programs]: Put privileged copies in
%PRIVILEGED-PROGRAM-DIRECTORY, with compatibility symlinks to each in
%SETUID-DIRECTORY.
* gnu/services.scm (setuid-program-service-type): Update docstring.
* doc/guix.texi (Setuid Programs): Update @file{} name accordingly.
---
doc/guix.texi | 2 +-
gnu/build/activation.scm | 54 ++++++++++++++++++++++++++--------------
gnu/services.scm | 9 +++++--
3 files changed, 44 insertions(+), 21 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 1d8ebcd72f..9426c72e1e 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -39383,7 +39383,7 @@ Setuid Programs
@end defvar
Under the hood, the actual setuid programs are created in the
-@file{/run/setuid-programs} directory at system activation time. The
+@file{/run/privileged/bin} directory at system activation time. The
files in this directory refer to the ``real'' binaries, which are in the
store.
diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm
index eea2233563..7f4800bba1 100644
--- a/gnu/build/activation.scm
+++ b/gnu/build/activation.scm
@@ -8,6 +8,7 @@
;;; Copyright © 2021 Maxime Devos <maximedevos <at> telenet.be>
;;; Copyright © 2020 Christine Lemmer-Webber <cwebber <at> dustycloud.org>
;;; Copyright © 2021 Brice Waegeneire <brice <at> waegenei.re>
+;;; Copyright © 2022 Tobias Geerinckx-Rice <me <at> tobias.gr>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -278,14 +279,29 @@ (define (activate-etc etc)
string<?)))
(define %setuid-directory
- ;; Place where setuid programs are stored.
+ ;; Place where setuid programs used to be stored. It exists for backwards
+ ;; compatibility & will be removed. Use %PRIVILEGED-PROGRAM-DIRECTORY instead.
"/run/setuid-programs")
+(define %privileged-program-directory
+ ;; Place where privileged copies of programs are stored.
+ "/run/privileged/bin")
+
(define (activate-setuid-programs programs)
- "Turn PROGRAMS, a list of file setuid-programs record, into setuid programs
-stored under %SETUID-DIRECTORY."
- (define (make-setuid-program program setuid? setgid? uid gid)
- (let ((target (string-append %setuid-directory
+ "Turn PROGRAMS, a list of file setuid-programs records, into privileged
+copies stored under %PRIVILEGED-PROGRAM-DIRECTORY."
+ (define (ensure-empty-directory directory)
+ (if (file-exists? directory)
+ (for-each (compose delete-file
+ (cut string-append directory "/" <>))
+ (scandir directory
+ (lambda (file)
+ (not (member file '("." ".."))))
+ string<?))
+ (mkdir-p directory)) )
+
+ (define (make-privileged-program program setuid? setgid? uid gid)
+ (let ((target (string-append %privileged-program-directory
"/" (basename program)))
(mode (+ #o0555 ; base permissions
(if setuid? #o4000 0) ; setuid bit
@@ -294,16 +310,17 @@ (define (activate-setuid-programs programs)
(chown target uid gid)
(chmod target mode)))
- (format #t "setting up setuid programs in '~a'...~%"
- %setuid-directory)
- (if (file-exists? %setuid-directory)
- (for-each (compose delete-file
- (cut string-append %setuid-directory "/" <>))
- (scandir %setuid-directory
- (lambda (file)
- (not (member file '("." ".."))))
- string<?))
- (mkdir-p %setuid-directory))
+ (define (make-deprecated-wrapper program)
+ ;; This will eventually become a script that warns on usage, then vanish.
+ (symlink (string-append %privileged-program-directory
+ "/" (basename program))
+ (string-append %setuid-directory
+ "/" (basename program))))
+
+ (format #t "setting up privileged programs in '~a'...~%"
+ %privileged-program-directory)
+ (ensure-empty-directory %privileged-program-directory)
+ (ensure-empty-directory %setuid-directory)
(for-each (lambda (program)
(catch 'system-error
@@ -319,11 +336,12 @@ (define (activate-setuid-programs programs)
(gid (match group
((? string?) (group:gid (getgrnam group)))
((? integer?) group))))
- (make-setuid-program program-name setuid? setgid? uid gid)))
+ (make-privileged-program program-name setuid? setgid? uid gid)
+ (make-deprecated-wrapper program-name)))
(lambda args
;; If we fail to create a setuid program, better keep going
- ;; so that we don't leave %SETUID-DIRECTORY empty or
- ;; half-populated. This can happen if PROGRAMS contains
+ ;; so that we don't leave %PRIVILEGED-PROGRAM-DIRECTORY empty
+ ;; or half-populated. This can happen if PROGRAMS contains
;; incorrect file names: <https://bugs.gnu.org/38800>.
(format (current-error-port)
"warning: failed to make ~s setuid/setgid: ~a~%"
diff --git a/gnu/services.scm b/gnu/services.scm
index 109e050a23..eefe58b336 100644
--- a/gnu/services.scm
+++ b/gnu/services.scm
@@ -6,6 +6,7 @@
;;; Copyright © 2021 raid5atemyhomework <raid5atemyhomework <at> protonmail.com>
;;; Copyright © 2020 Christine Lemmer-Webber <cwebber <at> dustycloud.org>
;;; Copyright © 2020, 2021 Brice Waegeneire <brice <at> waegenei.re>
+;;; Copyright © 2022 Tobias Geerinckx-Rice <me <at> tobias.gr>
;;; Copyright © 2023 Brian Cully <bjc <at> spork.org>
;;;
;;; This file is part of GNU Guix.
@@ -892,8 +893,12 @@ (define setuid-program-service-type
(extend (lambda (config extensions)
(append config extensions)))
(description
- "Populate @file{/run/setuid-programs} with the specified
-executables, making them setuid and/or setgid.")))
+ "Copy the specified executables to @file{/run/privileged/bin}
+and apply special privileges like setuid and/or setgid.
+
+The deprecated @file{/run/setuid-programs} directory is also populated with
+symbolic links to their @file{/run/privileged/bin} counterpart. It will be
+removed in a future Guix release.")))
(define (packages->profile-entry packages)
"Return a system entry for the profile containing PACKAGES."
--
2.41.0
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.