Package: guix-patches;
Reported by: Tobias Geerinckx-Rice <me <at> tobias.gr>
Date: Sun, 12 Feb 2023 20:46:01 UTC
Severity: normal
Tags: patch
Done: Tobias Geerinckx-Rice <me <at> tobias.gr>
Bug is archived. No further changes may be made.
View this message in rfc822 format
From: Tobias Geerinckx-Rice <me <at> tobias.gr> To: 61462 <at> debbugs.gnu.org Cc: Leo Famulari <leo <at> famulari.name>, Liliana Marie Prikler <liliana.prikler <at> gmail.com>, Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, Raghav Gururajan <rg <at> raghavgururajan.name>, Tobias Geerinckx-Rice <me <at> tobias.gr> Subject: [bug#61462] [PATCH v2 04/10] gnu: Replace (almost) all uses of /run/setuid-programs. Date: Sun, 16 Jul 2023 01:59:54 +0200
…those good for master, anyway.
* gnu/packages/admin.scm (ktsuss, opendoas, hosts)
[arguments]: Replace /run/setuid-programs with /run/privileged/bin.
* gnu/packages/containers.scm (slirp4netns)[arguments]: Likewise.
* gnu/packages/debian.scm (pbuilder)[arguments]: Likewise.
* gnu/packages/disk.scm (udevil)[arguments]: Likewise.
* gnu/packages/enlightenment.scm (efl, enlightenment)
[arguments]: Likewise.
* gnu/packages/gnome.scm (gdm, gnome-control-center)
[arguments]: Likewise.
* gnu/packages/linux.scm (singularity)[arguments]: Likewise.
* gnu/packages/lxde.scm (spacefm)[arguments]: Likewise.
* gnu/packages/monitoring.scm (zabbix-agentd)[arguments]: Likewise.
* gnu/packages/virtualization.scm (ganeti)[arguments]: Likewise.
* gnu/packages/xdisorg.scm (xsecurelock)[arguments]: Likewise.
* gnu/services/dbus.scm (dbus-configuration-directory): Likewise.
* gnu/services/ganeti.scm (%default-ganeti-environment-variables):
Likewise.
* gnu/services/monitoring.scm (zabbix-agent-shepherd-service): Likewise.
* gnu/tests/ldap.scm (marionette): Likewise.
* gnu/tests/monitoring.scm (os): Likewise.
---
gnu/machine/ssh.scm | 2 ++
gnu/packages/admin.scm | 6 +++---
gnu/packages/containers.scm | 2 +-
gnu/packages/debian.scm | 4 ++--
gnu/packages/disk.scm | 14 +++++++-------
gnu/packages/enlightenment.scm | 10 +++++-----
gnu/packages/gnome.scm | 4 ++--
gnu/packages/linux.scm | 2 +-
gnu/packages/lxde.scm | 19 ++++++++-----------
gnu/packages/monitoring.scm | 2 +-
gnu/packages/virtualization.scm | 2 +-
gnu/packages/xdisorg.scm | 2 +-
gnu/services/dbus.scm | 2 +-
gnu/services/ganeti.scm | 2 +-
gnu/services/monitoring.scm | 2 +-
gnu/tests/ldap.scm | 2 +-
gnu/tests/monitoring.scm | 4 ++--
17 files changed, 40 insertions(+), 41 deletions(-)
diff --git a/gnu/machine/ssh.scm b/gnu/machine/ssh.scm
index 343cf74748..26ea787e29 100644
--- a/gnu/machine/ssh.scm
+++ b/gnu/machine/ssh.scm
@@ -177,6 +177,8 @@ (define (machine-become-command machine)
(if (string= "root" (machine-ssh-configuration-user
(machine-configuration machine)))
'()
+ ;; Use the old setuid-programs location until the remote is likely to
+ ;; have the new /run/privileged one in place.
'("/run/setuid-programs/sudo" "-n" "--")))
(define (managed-host-remote-eval machine exp)
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index ec32041055..c42f23f437 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -205,7 +205,7 @@ (define-public ktsuss
(lambda _
(substitute* "configure.ac"
(("supath=`which su 2>/dev/null`")
- "supath=/run/setuid-programs/su"))
+ "supath=/run/privileged/bin/su"))
#t)))))
(native-inputs
(list autoconf automake libtool pkg-config))
@@ -2077,7 +2077,7 @@ (define-public opendoas
(substitute* "doas.c"
(("safepath =" match)
(string-append match " \""
- "/run/setuid-programs:"
+ "/run/privileged/bin:"
"/run/current-system/profile/bin:"
"/run/current-system/profile/sbin:"
"\" ")))))
@@ -4918,7 +4918,7 @@ (define-public hosts
":" (assoc-ref %build-inputs "grep") "/bin"
":" (assoc-ref %build-inputs "ncurses") "/bin"
":" (assoc-ref %build-inputs "sed") "/bin"
- ":" "/run/setuid-programs"
+ ":" "/run/privileged/bin"
":" (getenv "PATH")))
(substitute* "hosts"
(("#!/usr/bin/env bash")
diff --git a/gnu/packages/containers.scm b/gnu/packages/containers.scm
index 232d994fe3..92573f211d 100644
--- a/gnu/packages/containers.scm
+++ b/gnu/packages/containers.scm
@@ -237,7 +237,7 @@ (define-public slirp4netns
(add-after 'unpack 'fix-hardcoded-paths
(lambda _
(substitute* (find-files "tests" "\\.sh")
- (("ping") "/run/setuid-programs/ping")))))))
+ (("ping") "/run/privileged/bin/ping")))))))
(inputs
(list glib
libcap
diff --git a/gnu/packages/debian.scm b/gnu/packages/debian.scm
index c5cfda9f80..c18de1403c 100644
--- a/gnu/packages/debian.scm
+++ b/gnu/packages/debian.scm
@@ -494,8 +494,8 @@ (define-public pbuilder
(lambda ()
(format #t "# A couple of presets to make this work more smoothly.~@
MIRRORSITE=\"http://deb.debian.org/debian\"~@
- if [ -r /run/setuid-programs/sudo ]; then~@
- PBUILDERROOTCMD=\"/run/setuid-programs/sudo -E\"~@
+ if [ -r /run/privileged/bin/sudo ]; then~@
+ PBUILDERROOTCMD=\"/run/privileged/bin/sudo -E\"~@
fi~@
PBUILDERSATISFYDEPENDSCMD=\"~a/lib/pbuilder/pbuilder-satisfydepends-apt\"~%"
#$output)))))
diff --git a/gnu/packages/disk.scm b/gnu/packages/disk.scm
index 35ffcf173e..95688ad422 100644
--- a/gnu/packages/disk.scm
+++ b/gnu/packages/disk.scm
@@ -204,10 +204,10 @@ (define-public udevil
;; udevil expects these programs to be run with uid set as root.
;; user has to manually add these programs to setuid-programs.
;; mount and umount are default setuid-programs in guix system.
- "--with-mount-prog=/run/setuid-programs/mount"
- "--with-umount-prog=/run/setuid-programs/umount"
- "--with-losetup-prog=/run/setuid-programs/losetup"
- "--with-setfacl-prog=/run/setuid-programs/setfacl")
+ "--with-mount-prog=/run/privileged/bin/mount"
+ "--with-umount-prog=/run/privileged/bin/umount"
+ "--with-losetup-prog=/run/privileged/bin/losetup"
+ "--with-setfacl-prog=/run/privileged/bin/setfacl")
#:phases
(modify-phases %standard-phases
(add-after 'unpack 'remove-root-reference
@@ -218,12 +218,12 @@ (define-public udevil
(add-after 'unpack 'patch-udevil-reference
;; udevil expects itself to be run with uid set as root.
;; devmon also expects udevil to be run with uid set as root.
- ;; user has to manually add udevil to setuid-programs.
+ ;; user has to manually add udevil to privileged-programs.
(lambda _
(substitute* "src/udevil.c"
- (("/usr/bin/udevil") "/run/setuid-programs/udevil"))
+ (("/usr/bin/udevil") "/run/privileged/bin/udevil"))
(substitute* "src/devmon"
- (("`which udevil 2>/dev/null`") "/run/setuid-programs/udevil"))
+ (("`which udevil 2>/dev/null`") "/run/privileged/bin/udevil"))
#t)))))
(native-inputs
(list intltool pkg-config))
diff --git a/gnu/packages/enlightenment.scm b/gnu/packages/enlightenment.scm
index 64d8945f8e..a6ee9dcb8a 100644
--- a/gnu/packages/enlightenment.scm
+++ b/gnu/packages/enlightenment.scm
@@ -149,8 +149,8 @@ (define-public efl
"-Dbuild-examples=false"
"-Decore-imf-loaders-disabler=scim"
"-Dglib=true"
- "-Dmount-path=/run/setuid-programs/mount"
- "-Dunmount-path=/run/setuid-programs/umount"
+ "-Dmount-path=/run/privileged/bin/mount"
+ "-Dunmount-path=/run/privileged/bin/umount"
"-Dnetwork-backend=connman"
,,@(if (member (%current-system)
(package-transitive-supported-systems luajit))
@@ -338,7 +338,7 @@ (define-public enlightenment
(substitute* '("src/bin/e_sys_main.c"
"src/bin/e_util_suid.h")
(("PATH=/bin:/usr/bin:/sbin:/usr/sbin")
- (string-append "PATH=/run/setuid-programs:"
+ (string-append "PATH=/run/privileged/bin:"
"/run/current-system/profile/bin:"
"/run/current-system/profile/sbin")))
(substitute* "src/modules/everything/evry_plug_calc.c"
@@ -347,8 +347,8 @@ (define-public enlightenment
(("libddcutil\\.so\\.?" libddcutil)
(string-append ddcutil "/lib/" libddcutil)))
(substitute* "data/etc/meson.build"
- (("/bin/mount") "/run/setuid-programs/mount")
- (("/bin/umount") "/run/setuid-programs/umount")
+ (("/bin/mount") "/run/privileged/bin/mount")
+ (("/bin/umount") "/run/privileged/bin/umount")
(("/usr/bin/eject") "/run/current-system/profile/bin/eject"))
(substitute* "src/bin/system/e_system_power.c"
(("systemctl") "loginctl"))))))))
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 11085ecc80..485b8a16ba 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -8813,7 +8813,7 @@ (define-public gdm
"--localstatedir=/var"
(string-append "-Ddefault-path="
- (string-join '("/run/setuid-programs"
+ (string-join '("/run/privileged/bin"
"/run/current-system/profile/bin"
"/run/current-system/profile/sbin")
":"))
@@ -9088,7 +9088,7 @@ (define-public gnome-control-center
inputs "bin/nm-connection-editor"))))
(substitute* "panels/user-accounts/run-passwd.c"
(("/usr/bin/passwd")
- "/run/setuid-programs/passwd"))
+ "/run/privileged/bin/passwd"))
(substitute* "panels/info-overview/cc-info-overview-panel.c"
(("DATADIR \"/gnome/gnome-version.xml\"")
(format #f "~s" (search-input-file
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 67128524ff..cc8d3be791 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -5114,7 +5114,7 @@ (define-public singularity
(substitute* (find-files "libexec/cli" "\\.exec$")
(("\\$SINGULARITY_libexecdir/singularity/bin/([a-z]+)-suid"
_ program)
- (string-append "/run/setuid-programs/singularity-"
+ (string-append "/run/privileged/bin/singularity-"
program "-helper")))
;; These squashfs mount options are apparently no longer
diff --git a/gnu/packages/lxde.scm b/gnu/packages/lxde.scm
index 0291f50302..1a969eb4b5 100644
--- a/gnu/packages/lxde.scm
+++ b/gnu/packages/lxde.scm
@@ -372,26 +372,23 @@ (define-public spacefm
(substitute* '("mime-type/mime-type.c" "ptk/ptk-file-menu.c")
(("/usr(/local)?/share/mime") mime)))
#t)))
- (add-after 'patch-mime-dirs 'patch-setuid-progs
+ (add-after 'patch-mime-dirs 'patch-privileged-programs
(lambda _
- (let* ((su "/run/setuid-programs/su")
- (mount "/run/setuid-programs/mount")
- (umount "/run/setuid-programs/umount")
- (udevil "/run/setuid-programs/udevil"))
+ (let ((privileged (lambda (command)
+ (string-append "/run/privileged/bin/"
+ command))))
(with-directory-excursion "src"
(substitute* '("settings.c" "settings.h" "vfs/vfs-file-task.c"
"vfs/vfs-volume-hal.c" "../data/ui/prefdlg.ui"
"../data/ui/prefdlg2.ui")
- (("(/usr)?/bin/su") su)
- (("/(bin|sbin)/mount") mount)
- (("/(bin|sbin)/umount") umount)
- (("/usr/bin/udevil") udevil)))
+ (("(/usr)?/s?bin/(mount|umount|su|udevil)" _ _ command)
+ (privileged command))))
#t)))
- (add-after 'patch-setuid-progs 'patch-spacefm-conf
+ (add-after 'patch-privileged-programs 'patch-spacefm.conf
(lambda* (#:key inputs #:allow-other-keys)
(substitute* "etc/spacefm.conf"
(("#terminal_su=/bin/su")
- "terminal_su=/run/setuid-programs/su")
+ "terminal_su=/run/privileged/bin/su")
(("#graphical_su=/usr/bin/gksu")
(string-append "graphical_su="
(search-input-file inputs "/bin/ktsuss")))))))
diff --git a/gnu/packages/monitoring.scm b/gnu/packages/monitoring.scm
index 3238f11fb4..f935c015a4 100644
--- a/gnu/packages/monitoring.scm
+++ b/gnu/packages/monitoring.scm
@@ -186,7 +186,7 @@ (define-public zabbix-agentd
"src/zabbix_server/server.c")
;; 'fping' must be setuid, so look for it in the usual location.
(("/usr/sbin/fping6?")
- "/run/setuid-programs/fping")))))
+ "/run/privileged/bin/fping")))))
(build-system gnu-build-system)
(arguments
(list #:configure-flags
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index 9b1bdeb5e4..26e4ecff14 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -764,7 +764,7 @@ (define-public ganeti
;; hard coded PATH. Patch so it works on Guix System.
(substitute* "src/Ganeti/Constants.hs"
(("/sbin:/bin:/usr/sbin:/usr/bin")
- "/run/setuid-programs:/run/current-system/profile/sbin:\
+ "/run/privileged/bin:/run/current-system/profile/sbin:\
/run/current-system/profile/bin"))))
(add-after 'bootstrap 'patch-sphinx-version-detection
(lambda _
diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index da5ca76e10..e7ede8de3e 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -2507,7 +2507,7 @@ (define-public xsecurelock
'(#:configure-flags
'("--with-pam-service-name=login"
"--with-xkb"
- "--with-default-authproto-module=/run/setuid-programs/authproto_pam")))
+ "--with-default-authproto-module=/run/privileged/bin/authproto_pam")))
(native-inputs
(list pandoc pkg-config))
(inputs
diff --git a/gnu/services/dbus.scm b/gnu/services/dbus.scm
index 5a0c634393..bb9efb1c56 100644
--- a/gnu/services/dbus.scm
+++ b/gnu/services/dbus.scm
@@ -115,7 +115,7 @@ (define (dbus-configuration-directory services)
;; failures such as <https://issues.guix.gnu.org/52051> on slow
;; computers with slow I/O.
(limit (@ (name "auth_timeout")) "300000")
- (servicehelper "/run/setuid-programs/dbus-daemon-launch-helper")
+ (servicehelper "/run/privileged/bin/dbus-daemon-launch-helper")
;; First, the '.service' files of services subject to activation.
;; We use a fixed location under /etc because the setuid helper
diff --git a/gnu/services/ganeti.scm b/gnu/services/ganeti.scm
index f4fec3833e..ee72946c88 100644
--- a/gnu/services/ganeti.scm
+++ b/gnu/services/ganeti.scm
@@ -182,7 +182,7 @@ (define-module (gnu services ganeti)
;; Ceph, Gluster, etc, without having to add absolute references to everything.
(define %default-ganeti-environment-variables
(list (string-append "PATH="
- (string-join '("/run/setuid-programs"
+ (string-join '("/run/privileged/bin"
"/run/current-system/profile/sbin"
"/run/current-system/profile/bin")
":"))))
diff --git a/gnu/services/monitoring.scm b/gnu/services/monitoring.scm
index e698040078..c3fc8dafc8 100644
--- a/gnu/services/monitoring.scm
+++ b/gnu/services/monitoring.scm
@@ -1016,7 +1016,7 @@ (define (zabbix-agent-shepherd-service config)
/etc/ssl/certs"
"SSL_CERT_FILE=/run/current-system/profile\
/etc/ssl/certs/ca-certificates.crt"
- "PATH=/run/setuid-programs:\
+ "PATH=/run/privileged/bin:\
/run/current-system/profile/bin:/run/current-system/profile/sbin")))
(stop #~(make-kill-destructor)))))
diff --git a/gnu/tests/ldap.scm b/gnu/tests/ldap.scm
index 47e77c0c53..d5ab6899cf 100644
--- a/gnu/tests/ldap.scm
+++ b/gnu/tests/ldap.scm
@@ -144,7 +144,7 @@ (define (run-ldap-test)
(test-assert "Can become LDAP user"
(marionette-eval
- '(zero? (system* "/run/setuid-programs/su" "eva" "-c"
+ '(zero? (system* "/run/privileged/bin/su" "eva" "-c"
#$(file-append coreutils "/bin/true")))
marionette))
diff --git a/gnu/tests/monitoring.scm b/gnu/tests/monitoring.scm
index bbab1d8acf..a0c8c929b1 100644
--- a/gnu/tests/monitoring.scm
+++ b/gnu/tests/monitoring.scm
@@ -189,11 +189,11 @@ (define* (run-zabbix-server-test name test-os)
(start-service 'postgres))
marionette))
- ;; Add /run/setuid-programs to $PATH so that the scripts passed to
+ ;; Add privileged programs to $PATH so that the scripts passed to
;; 'system' can find 'sudo'.
(marionette-eval
'(setenv "PATH"
- "/run/setuid-programs:/run/current-system/profile/bin")
+ "/run/privileged/bin:/run/current-system/profile/bin")
marionette)
(test-eq "postgres create zabbix user"
--
2.41.0
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.