GNU bug report logs - #62725
Undefined activation ordering between ‘setuid-program-service-type’ and ‘account-service-type’

Previous Next

To reply to this bug, email your comments to 62725 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Brian Cully <bjc <at> spork.org>
To: bug-guix <at> gnu.org
Subject: Undefined activation ordering between ‘setuid-program-service-type’
 and ‘account-service-type’
Date: Sat, 08 Apr 2023 10:53:07 -0400

There is currently no way to ensure that an account exists before 
creating /run/setuid-programs, which means a setuid-program which 
uses a custom user or group will fail to be created if setuid 
activation happens before account activation.

As an example, here's a system config where I'm trying to install 
‘/run/setuid-programs/dumpcap’ as setuid root with a primary group 
of ‘wireshark’, also created by this config:

--8<---------------cut here---------------start------------->8---
(use-modules (gnu)
            (gnu system setuid))
(use-package-modules networking)
(use-service-modules setuid)

;; TODO: make name configurable
(define %wireshark-groups
 (list (user-group
        (name "wireshark")
        (system? #t))))

(define %wireshark-setuid-programs
 (list (setuid-program
        (program (file-append wireshark "/bin/dumpcap"))
        (group "wireshark")
        #;(mask #o550))))

(define wireshark-service-type
 (service-type
  (name 'wireshark)
  (description "Allow use of wireshark by regular users in the 
  @code{wireshark} group.")
  (extensions
   (list (service-extension account-service-type
                            (const %wireshark-groups))
         (service-extension setuid-program-service-type
                            (const %wireshark-setuid-programs))))
  (default-value #f)))

(operating-system
 (locale "en_US.utf8")
 (timezone "America/New_York")
 (keyboard-layout (keyboard-layout "us"))
 (host-name "wireshark-test")

 (users (cons* (user-account
                (name "test")
                (group "users")
                (password (crypt "test" "$6$test"))
                (supplementary-groups
                 '("wireshark")))
               %base-user-accounts))
 (packages
  (cons*
   (specification->package "wireshark")
   %base-packages))

 (services
  (cons*
   (service wireshark-service-type)
   %base-services))

 (bootloader
  (bootloader-configuration
   (bootloader grub-efi-bootloader)
   (targets '("/boot/efi"))
   (keyboard-layout keyboard-layout)))

 (file-systems
  (cons* (file-system
           (mount-point "/")
           (device
            (uuid "14f4e958-be9e-41bb-bd25-e90a7330093c"
                  'btrfs))
           (type "btrfs"))
         (file-system
           (mount-point "/boot/efi")
           (device (uuid "6866-56B1" 'fat32))
           (type "vfat"))
         %base-file-systems)))
--8<---------------cut here---------------end--------------->8---

When trying to boot this system in a VM, I'm told that the dumpcap 
binary couldn't be created because the file wasn't found. The 
returned error is improperly attributed: the source file does 
exist, and the error code is actually coming from getgrent(3) 
which cannot find the ‘wireshark’ group.

Tracing through the activation scripts shows this to be because, 
in this case, setuid-program activation happens before 
account-activation.

Thanks to jpoiret for doing a lot of the investigative work here, 
which I'm merely verifying through testing.

I believe the correct solution here is to move ‘setuid-program’ 
activation to a one-shot Shepherd service, because Shepherd allows 
explicit ordering, as well as other advantages. To that end, I 
have a patch which does precisely that, which I will send to the 
patches list shorty.

-bjc

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.