From unknown Tue Jun 17 22:26:48 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#63904: Can't setuid programs to anybody but root
Resent-From: edk@beaver-labs.com
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Mon, 05 Jun 2023 10:13:02 +0000
Resent-Message-ID: <handler.63904.B.168595995321564@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 63904
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: 63904@debbugs.gnu.org
X-Debbugs-Original-To: bug-guix <bug-guix@gnu.org>
Received: via spool by submit@debbugs.gnu.org id=B.168595995321564
          (code B ref -1); Mon, 05 Jun 2023 10:13:02 +0000
Received: (at submit) by debbugs.gnu.org; 5 Jun 2023 10:12:33 +0000
Received: from localhost ([127.0.0.1]:48226 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1q67CT-0005bj-BI
	for submit@debbugs.gnu.org; Mon, 05 Jun 2023 06:12:33 -0400
Received: from lists.gnu.org ([209.51.188.17]:55612)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <edk@beaver-labs.com>) id 1q67CR-0005bc-UU
 for submit@debbugs.gnu.org; Mon, 05 Jun 2023 06:12:32 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <edk@beaver-labs.com>)
 id 1q67CR-0001EB-Kf
 for bug-guix@gnu.org; Mon, 05 Jun 2023 06:12:31 -0400
Received: from sender11-op-o11.zoho.eu ([31.186.226.225])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <edk@beaver-labs.com>)
 id 1q67CP-0001wF-ER
 for bug-guix@gnu.org; Mon, 05 Jun 2023 06:12:31 -0400
ARC-Seal: i=1; a=rsa-sha256; t=1685959945; cv=none; d=zohomail.eu; s=zohoarc; 
 b=M5Zg1sjjj5OWoanhJiAcDvQoNnJsTD/bq4TlxA7/bbu2SkgwmvUR/rrABpbS2EQeBr58Rn1+sm5InfB007fr970NWipYlLXzRN5L05Sv33bx9GkGg5F3Uk6LD2iTa1msezeUZjnNJkd+Jp5WvzBA4A+PQ9XXtoEmNJT0ZHmdqAM=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.eu;
 s=zohoarc; t=1685959945;
 h=Content-Type:Content-Transfer-Encoding:Date:From:MIME-Version:Message-ID:Subject:To;
 bh=NMOOxRNDvc/8qu6qh1tRj342bgr8O55R3i85Aat4H9M=; 
 b=Zwlsxw5lXW0yjm4BaSTPA2N2GdaRIqTdxa7IDdSLxuYFVtC051laTnNG5AwHZb7XtTQ9LAbhWiOykj/GVNbNCRLQ/F/XipyKHrx9KGFd4zOd5kvnjObpn+hU4eVcnLeYf5IKEpwobF/bEB07+Cijn6YTwXWZCzcGx07RJG6XnKs=
ARC-Authentication-Results: i=1; mx.zohomail.eu;
 dkim=pass  header.i=beaver-labs.com;
 spf=pass  smtp.mailfrom=edk@beaver-labs.com;
 dmarc=pass header.from=<edk@beaver-labs.com>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1685959945; 
 s=zoho; d=beaver-labs.com; i=edk@beaver-labs.com;
 h=From:From:To:To:Subject:Subject:Date:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-Id:Reply-To:Cc;
 bh=NMOOxRNDvc/8qu6qh1tRj342bgr8O55R3i85Aat4H9M=;
 b=J7ily/S9sAHCrEd1HrMRQVp5V0iTnge3kHDb7BFCFHgkSc94BGgA6Dn7ALgneEKE
 UWfBWyBQVg6QvhyD+o29fWCweMYed58Y8nVpN7ms3w4rGEH5ydSSPwIlaLh0GBW22Qy
 vUzvGcqmSIMSoI2xQ7rFUdZRRZb9ZG96Ix0aQh5Fvzzs05JKBEUOQrPRqP0uETM3YaT
 d7BQOdSOt36yK83+xcKx0uIdlmM2xg0Kn+16pXu74Hpy59Y4QifeAVqkTyMMMB8muua
 rNJCe9dVXUQrZBnKqS0YsHcaKj3qeakAgd3OsHmvtTFqtuLhQ9fSiOzEOgbLCcBzL+p
 nrIZMMLGuQ==
Received: from schwarzy (lfbn-idf3-1-667-244.w86-252.abo.wanadoo.fr
 [86.252.237.244]) by mx.zoho.eu
 with SMTPS id 1685959942720218.76548991927484;
 Mon, 5 Jun 2023 12:12:22 +0200 (CEST)
User-agent: mu4e 1.8.13; emacs 28.2
From: edk@beaver-labs.com
Date: Mon, 05 Jun 2023 12:00:18 +0200
Message-ID: <87h6rmtdzk.fsf@rdklein.fr>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-ZohoMailClient: External
Received-SPF: pass client-ip=31.186.226.225; envelope-from=edk@beaver-labs.com;
 helo=sender11-op-o11.zoho.eu
X-Spam_score_int: -30
X-Spam_score: -3.1
X-Spam_bar: ---
X-Spam_report: (-3.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

Dear Guix developers,

At the end of the email is the code for a minimal container, which tries
to setuid =3Dtrue=3D, the simplest binary of all, to user suc.

When line 26 is commented, and the container is built and run with:
sudo $(guix system container  mwe.scm)

One can login to the container and run:
ls -l /run/setuid-programs/true

which yields:
-r-sr-xr-x 1 root root 39488 Jun  5 09:59 /run/setuid-programs/true
as it should.

Also, one can fire up guile and run (getpw "suc") and get in return:
$1 =3D #("suc" "x" 1000 998 "" "/home/suc" "/gnu/store/m6c5hgqg569mbcjjbp8l=
8m7q82ascpdl-bash-5.1.16/bin/bash")

However, when line 26 is uncommented, the container can be built, but
when run fails with the error below.
My hunch is that things are done out of order, with setuid binaries
being set up before user creation, but I have no way of checking that.

Please do not hesitate to ping me if I can be of help.

Cheers,

Edouard.

The error:
system container is running as PID 9825
WARNING: (guile-user): imported module (guix build utils) overrides core bi=
nding `delete'
Run 'sudo guix container exec 9825 /run/current-system/profile/bin/bash --l=
ogin'
or run 'sudo nsenter -a -t 9825' to get a shell into it.

WARNING: (guile-user): imported module (guix build utils) overrides core bi=
nding `delete'
making '/gnu/store/mnc9lfpn01frmffqa31jy3c381dkgrwl-system' the current sys=
tem...
WARNING: (guile-user): imported module (guix build utils) overrides core bi=
nding `delete'
setting up setuid programs in '/run/setuid-programs'...
Backtrace:
          12 (primitive-load "/gnu/store/bygckv7p4091xqykjnkay4qnazn=E2=80=
=A6")
In gnu/build/linux-container.scm:
    300:8 11 (call-with-temporary-directory #<procedure 7fb026898d70=E2=80=
=A6>)
   397:16 10 (_ "/tmp/guix-directory.B9dmTN")
     62:6  9 (call-with-clean-exit #<procedure 7fb0268a5380 at gnu/b=E2=80=
=A6>)
In unknown file:
           8 (primitive-load "/gnu/store/mnc9lfpn01frmffqa31jy3c381d=E2=80=
=A6")
In ice-9/eval.scm:
    619:8  7 (_ #f)
In unknown file:
           6 (primitive-load "/gnu/store/dib6wfh2r52dfaydz78n33267qx=E2=80=
=A6")
In srfi/srfi-1.scm:
    634:9  5 (for-each #<procedure primitive-load (_)> ("/gnu/sto=E2=80=A6"=
 =E2=80=A6))
In unknown file:
           4 (primitive-load "/gnu/store/ypwqsx11k2qmxkscmzan6srq87q=E2=80=
=A6")
In srfi/srfi-1.scm:
    634:9  3 (for-each #<procedure 7fb026380538 at gnu/build/activa=E2=80=
=A6> =E2=80=A6)
In ice-9/boot-9.scm:
  1747:15  2 (with-exception-handler #<procedure 7fb02683c6f0 at ic=E2=80=
=A6> =E2=80=A6)
In gnu/build/activation.scm:
   317:57  1 (_)
In unknown file:
           0 (getpw "suc")

ERROR: In procedure getpw:
In procedure getpw: entry not found



The code

(use-modules
 (guix gexp)
 (gnu system)
 (gnu bootloader)
 (gnu bootloader grub)
 (gnu system file-systems)
 (gnu services)
 (gnu services base)
 (gnu system setuid)
 (gnu packages base))

(operating-system
  (host-name "minimal-container")
  (timezone "UTC")
  (locale "en_US.utf8")
  (bootloader (bootloader-configuration
               (bootloader grub-bootloader)))
  (file-systems %base-file-systems)
  (users (cons
          (user-account
           (name "suc")
           (group "users"))
          %base-user-accounts))
  (setuid-programs
   (cons (setuid-program (program (file-append coreutils "/bin/true"))
                         (user "suc")
                         )
         %setuid-programs))
  (packages %base-packages)
  (services %base-services))




From unknown Tue Jun 17 22:26:48 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#63904: Can't setuid programs to anybody but root
Resent-From: Edouard Klein <edou@rdklein.fr>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Tue, 06 Jun 2023 07:49:01 +0000
Resent-Message-ID: <handler.63904.B63904.168603771915951@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 63904
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: 63904@debbugs.gnu.org
Cc: dev@jpoiret.xyz, me@tobias.gr, zimon.toutoune@gmail.com, othacehe@gnu.org, ludo@gnu.org, mail@cbaines.net, rekado@elephly.net
Received: via spool by 63904-submit@debbugs.gnu.org id=B63904.168603771915951
          (code B ref 63904); Tue, 06 Jun 2023 07:49:01 +0000
Received: (at 63904) by debbugs.gnu.org; 6 Jun 2023 07:48:39 +0000
Received: from localhost ([127.0.0.1]:50837 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1q6RQk-00049C-Qw
	for submit@debbugs.gnu.org; Tue, 06 Jun 2023 03:48:39 -0400
Received: from sender11-op-o11.zoho.eu ([31.186.226.225]:17164)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <edou@rdklein.fr>) id 1q6RQi-00048w-Et
 for 63904@debbugs.gnu.org; Tue, 06 Jun 2023 03:48:37 -0400
ARC-Seal: i=1; a=rsa-sha256; t=1686037704; cv=none; d=zohomail.eu; s=zohoarc; 
 b=kvlNDd8j6UQW4TAEr/85epQf5yyW7eLGMKIf352VnxXm/5LSoGpB3iYJxxOwUVqzsWHMAT6p4TQUc26N1OyOysb9Qjb0TDMBWJc5DBnGcEUdordEevVG9JNzDoY80/R8kuv/6qSa0bT48gi6HmJsquTRaZkYOFFAGS2ioZpND7o=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.eu;
 s=zohoarc; t=1686037704;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To;
 bh=KZF//piAu6ZWYR/KuwQyVhZudHoxJGCArSI8BlBFSdk=; 
 b=em/y/0sSGflzqBST1KmGW6DQQ6LWqsFr9fBVmswtsPgS3QHwKxCbN2mZQvjOXum+NIZcrCEdwHSNodEUnMvB138GY6ZAKj2tkgscfap+ZQKlcSjVFYhT6O3s1aFbWx1sKhmYo5PF08NeDhIF/o1FJMtQKyZaQXL0mEHg+OJM6qU=
ARC-Authentication-Results: i=1; mx.zohomail.eu;
 dkim=pass  header.i=rdklein.fr;
 spf=pass  smtp.mailfrom=edou@rdklein.fr;
 dmarc=pass header.from=<edou@rdklein.fr>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1686037704; 
 s=zoho; d=rdklein.fr; i=edou@rdklein.fr;
 h=References:From:From:To:To:Subject:Subject:Date:Date:CC:In-reply-to:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-Id:Reply-To:Cc;
 bh=KZF//piAu6ZWYR/KuwQyVhZudHoxJGCArSI8BlBFSdk=;
 b=Ubkw77UC0Tx/K5n3FOa/zS737WVykPGpqYjx7VyTbtyrL7hGo/h75cPvD0nKDvir
 fEvA4qriRnSmDk8gErKXtQezMFgShKMt1mCATz8plEkU4GiWeDg1vUU6cUYC9/ulRup
 FnpnPbtC/9Vf3LHNujG1mX20/3Md8k3CXYQVpRKuE46TsfWKLSKBBQvExc6AfbZG69e
 q0YhXlwq2WF7NZzvVysKaBsvCNatsbwxYQtwESG8JDPjOVJk8t8bT/4vwlKF6AI8NHU
 u+enl7m0GofTzOCh/obn8FduyEczH487WJeEGkkOS+5NOmgjwrG0ID7khMp4tH7zLW3
 hGPZkAdJtg==
Received: from schwarzy (lfbn-idf3-1-667-244.w86-252.abo.wanadoo.fr
 [86.252.237.244]) by mx.zoho.eu
 with SMTPS id 1686037702922129.0735847706785;
 Tue, 6 Jun 2023 09:48:22 +0200 (CEST)
References: <87h6rmtdzk.fsf@rdklein.fr>
User-agent: mu4e 1.8.13; emacs 28.2
From: Edouard Klein <edou@rdklein.fr>
Date: Tue, 06 Jun 2023 09:21:43 +0200
In-reply-to: <87h6rmtdzk.fsf@rdklein.fr>
Message-ID: <878rcxt4jt.fsf@rdklein.fr>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-ZohoMailClient: External
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Dear Guix, CCing the core team,

I tried tracking down the bug.

The fatidic call to getpw was easy enough to find:
The make-setuid-program procedure is given a numeric uid argument. This
numeric uid is found from the user name string by
activate-setuid-program which calls getpwnam
(gnu/build/activation.scm:317).

Now this gave me an idea to sidestep the bug: See below the modified
part of the minimal reproductible example: I just force-assign a uid to
the user I want to setuid to, and give this uid instead of the username
to the setuid record.

This is cumbersome, but it does the job: the call to getpw is averted
and I get a system in which I can setuid to somebody other than root.

However, I'm lost as to how to solve the bug for good. I tried to
understand the call stack, but I can't figure out how in the folding
service machinery the services are ordered. My intuition is that I need
to make it so the folding of non-root setuids happen after the folding
of user and groups (I also have the intuition that root-setuids must
happen before, because folding users and group may require that root
setuid binaries are there, but I have not been able to verify that).

Here is what I was able to find.
getpw is called by activate-setuid-program
activate-setuid-program is called in setuid-program->activation-gexp
setuid-program->activation-gexp is the activation procedure for setuid-prog=
ram-service-type
setuid-program-service-type is itself an extension of activation-service-ty=
pe

I'm trying to follow how the service DAG is constructed, and then
walked, from there, but I don't think I have a very clear model of how
it works in my head.

I think the devil may be in:


(define (compute-boot-script _ gexps)
  ;; Reverse GEXPS so that extensions appear in the boot script in the right
  ;; order.  That is, user extensions would come first, and extensions added
  ;; by 'essential-services' (e.g., running shepherd) are guaranteed to come
  ;; last.
  (gexp->file "boot"
              ;; Clean up and activate the system, then spawn shepherd.
              #~(begin #$@(reverse gexps))))

Any help there would be greatly appreciated.

Thanks in advance,

Cheers,

Edouard.



(operating-system
  (host-name "minimal-container")
  (timezone "UTC")
  (locale "en_US.utf8")
  (bootloader (bootloader-configuration
               (bootloader grub-bootloader)))
  (file-systems %base-file-systems)
  (users (cons
          (user-account
           (name "suc")
           (group "users")
           (uid 1042))
          %base-user-accounts))
  (setuid-programs
   (cons (setuid-program (program (file-append coreutils "/bin/true"))
                         ;; (user "suc")
                         (user 1042)
                         )
         %setuid-programs))
  (packages %base-packages)
  (services %base-services))


edk@beaver-labs.com writes:

> Dear Guix developers,
>
> At the end of the email is the code for a minimal container, which tries
> to setuid =3Dtrue=3D, the simplest binary of all, to user suc.
>
> When line 26 is commented, and the container is built and run with:
> sudo $(guix system container  mwe.scm)
>
> One can login to the container and run:
> ls -l /run/setuid-programs/true
>
> which yields:
> -r-sr-xr-x 1 root root 39488 Jun  5 09:59 /run/setuid-programs/true
> as it should.
>
> Also, one can fire up guile and run (getpw "suc") and get in return:
> $1 =3D #("suc" "x" 1000 998 "" "/home/suc" "/gnu/store/m6c5hgqg569mbcjjbp=
8l8m7q82ascpdl-bash-5.1.16/bin/bash")
>
> However, when line 26 is uncommented, the container can be built, but
> when run fails with the error below.
> My hunch is that things are done out of order, with setuid binaries
> being set up before user creation, but I have no way of checking that.
>
> Please do not hesitate to ping me if I can be of help.
>
> Cheers,
>
> Edouard.
>
> The error:
> system container is running as PID 9825
> WARNING: (guile-user): imported module (guix build utils) overrides core =
binding `delete'
> Run 'sudo guix container exec 9825 /run/current-system/profile/bin/bash -=
-login'
> or run 'sudo nsenter -a -t 9825' to get a shell into it.
>
> WARNING: (guile-user): imported module (guix build utils) overrides core =
binding `delete'
> making '/gnu/store/mnc9lfpn01frmffqa31jy3c381dkgrwl-system' the current s=
ystem...
> WARNING: (guile-user): imported module (guix build utils) overrides core =
binding `delete'
> setting up setuid programs in '/run/setuid-programs'...
> Backtrace:
>           12 (primitive-load "/gnu/store/bygckv7p4091xqykjnkay4qnazn=E2=
=80=A6")
> In gnu/build/linux-container.scm:
>     300:8 11 (call-with-temporary-directory #<procedure 7fb026898d70=E2=
=80=A6>)
>    397:16 10 (_ "/tmp/guix-directory.B9dmTN")
>      62:6  9 (call-with-clean-exit #<procedure 7fb0268a5380 at gnu/b=E2=
=80=A6>)
> In unknown file:
>            8 (primitive-load "/gnu/store/mnc9lfpn01frmffqa31jy3c381d=E2=
=80=A6")
> In ice-9/eval.scm:
>     619:8  7 (_ #f)
> In unknown file:
>            6 (primitive-load "/gnu/store/dib6wfh2r52dfaydz78n33267qx=E2=
=80=A6")
> In srfi/srfi-1.scm:
>     634:9  5 (for-each #<procedure primitive-load (_)> ("/gnu/sto=E2=80=
=A6" =E2=80=A6))
> In unknown file:
>            4 (primitive-load "/gnu/store/ypwqsx11k2qmxkscmzan6srq87q=E2=
=80=A6")
> In srfi/srfi-1.scm:
>     634:9  3 (for-each #<procedure 7fb026380538 at gnu/build/activa=E2=80=
=A6> =E2=80=A6)
> In ice-9/boot-9.scm:
>   1747:15  2 (with-exception-handler #<procedure 7fb02683c6f0 at ic=E2=80=
=A6> =E2=80=A6)
> In gnu/build/activation.scm:
>    317:57  1 (_)
> In unknown file:
>            0 (getpw "suc")
>
> ERROR: In procedure getpw:
> In procedure getpw: entry not found
>
>
>
> The code
>
> (use-modules
>  (guix gexp)
>  (gnu system)
>  (gnu bootloader)
>  (gnu bootloader grub)
>  (gnu system file-systems)
>  (gnu services)
>  (gnu services base)
>  (gnu system setuid)
>  (gnu packages base))
>
> (operating-system
>   (host-name "minimal-container")
>   (timezone "UTC")
>   (locale "en_US.utf8")
>   (bootloader (bootloader-configuration
>                (bootloader grub-bootloader)))
>   (file-systems %base-file-systems)
>   (users (cons
>           (user-account
>            (name "suc")
>            (group "users"))
>           %base-user-accounts))
>   (setuid-programs
>    (cons (setuid-program (program (file-append coreutils "/bin/true"))
>                          (user "suc")
>                          )
>          %setuid-programs))
>   (packages %base-packages)
>   (services %base-services))




From unknown Tue Jun 17 22:26:48 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#63904: Can't setuid programs to anybody but root
Resent-From: Josselin Poiret <dev@jpoiret.xyz>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Thu, 08 Jun 2023 07:20:01 +0000
Resent-Message-ID: <handler.63904.B63904.168620875715098@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 63904
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: Edouard Klein <edou@rdklein.fr>, 63904@debbugs.gnu.org
Cc: me@tobias.gr, zimon.toutoune@gmail.com, othacehe@gnu.org, ludo@gnu.org, mail@cbaines.net, rekado@elephly.net
Received: via spool by 63904-submit@debbugs.gnu.org id=B63904.168620875715098
          (code B ref 63904); Thu, 08 Jun 2023 07:20:01 +0000
Received: (at 63904) by debbugs.gnu.org; 8 Jun 2023 07:19:17 +0000
Received: from localhost ([127.0.0.1]:55547 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1q79vQ-0003vR-Km
	for submit@debbugs.gnu.org; Thu, 08 Jun 2023 03:19:16 -0400
Received: from jpoiret.xyz ([206.189.101.64]:47384)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <dev@jpoiret.xyz>) id 1q79vO-0003vI-47
 for 63904@debbugs.gnu.org; Thu, 08 Jun 2023 03:19:15 -0400
Received: from authenticated-user (jpoiret.xyz [206.189.101.64])
 by jpoiret.xyz (Postfix) with ESMTPA id 8557D184F2B;
 Thu,  8 Jun 2023 07:19:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim;
 t=1686208747;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=2YCb5Z86FlGn4bIWi/PiyKjMAkOdysCPd93Qq9oxTMY=;
 b=CzNgXThlsBGdyW2Y6x3kwpwY4akwXQzUI018lGFPviDL/mgQtNVwaJPp/ocQvnpQNU+IDO
 qCRCdejQMuggRJwiO26aNVXdc5MAI5kvleW+mTYf7B4PPaK7ZHkN6rQQvZbJYl3T0O/u4x
 Dq18Q6w/2gIEfAAf1urL+lj77GpsEllhDURACE0f8JZIpQVqc6kwdMR0pBBwcT+e91jYpE
 2DXZvyGHK9vy/EAcUkJmuzqsNYiQI3poHJCUGhO9i1Gb9XP7miLQZ3slXtnTU7pkzOi7E3
 mA1NPuAKLYD9g0izt1b/FnTFz+XRkCeX/m2+NZ/pAMxgdCtUeBme0iTNPAMIWg==
From: Josselin Poiret <dev@jpoiret.xyz>
In-Reply-To: <878rcxt4jt.fsf@rdklein.fr>
References: <87h6rmtdzk.fsf@rdklein.fr> <878rcxt4jt.fsf@rdklein.fr>
Date: Thu, 08 Jun 2023 09:19:00 +0200
Message-ID: <87edmma0bf.fsf@jpoiret.xyz>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spamd-Bar: +
Authentication-Results: jpoiret.xyz;
 auth=pass smtp.auth=jpoiret@jpoiret.xyz smtp.mailfrom=dev@jpoiret.xyz
X-Spam-Level: *
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 0.0 (/)

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Hi everyone,

You might want to have a look at [1], which should resolve this.  I've
held off on reviewing it for quite a bit but have talked on IRC recently
with bjc about it.  With this approach, while cleaner, we'll need to
identify which services rely on the setuid binaries being present, as
well as ensure they're up before any interaction with the user is
possible.

[1] https://issues.guix.gnu.org/62726

HTH,
=2D-=20
Josselin Poiret

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQHEBAEBCgAuFiEEOSSM2EHGPMM23K8vUF5AuRYXGooFAmSBgOQQHGRldkBqcG9p
cmV0Lnh5egAKCRBQXkC5Fhcaigf1DACI1mMO1MSBDjr3TDPJwO18m+j+cLrdNo3+
Bmi+aSL4AmjGJ8RYEDAGtRninFxt1QGaoDs060pe6LPsaA0BGxVkm7ldVWIfob2B
7czkGF55kRAp0Ikx0CQAvjjXfczO0nSVQZx5KOPcbhl2PEaD9e4uZNISPzPipeJF
SM+M2KSceqS+/pE1DCLrNMe2TdmhIsiOwAJN1BnsruusgKCeBdTzHV121pnrrOj6
pQSCeGo84rx4+YLT7tIya92Tly068KPWmo3ZxmGJ74MQiGFt92j0u87BMT8JNY0U
9GXE1eQmYvDyw2en2v3SSAoP5BiDH4MkKzvU1K8cQk+ncGhJbkvbF4h3q7uUfEhK
FccQh9mKeeXSxXObAJBEeLcdVW4JyZKAmYqrhm7wRLYYzKXfZPOwC4pWzkh26qlG
vmSQ0vfXHp3HWqk81XBF1nfktqQyYhwOK7Gxu5fccGErI+qvQlvKX/QbXF/AoeCF
x+pyQ7k2fjLYRKRobZKa6Bbf3MpZ6sQ=
=t6uz
-----END PGP SIGNATURE-----
--=-=-=--




From unknown Tue Jun 17 22:26:48 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#63904: Can't setuid programs to anybody but root
Resent-From: Edouard Klein <edou@rdklein.fr>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Thu, 06 Jul 2023 12:09:02 +0000
Resent-Message-ID: <handler.63904.B63904.168864529723494@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 63904
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: Josselin Poiret <dev@jpoiret.xyz>
Cc: 63904@debbugs.gnu.org
Received: via spool by 63904-submit@debbugs.gnu.org id=B63904.168864529723494
          (code B ref 63904); Thu, 06 Jul 2023 12:09:02 +0000
Received: (at 63904) by debbugs.gnu.org; 6 Jul 2023 12:08:17 +0000
Received: from localhost ([127.0.0.1]:40311 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1qHNmT-00066s-0v
	for submit@debbugs.gnu.org; Thu, 06 Jul 2023 08:08:17 -0400
Received: from sender11-op-o11.zoho.eu ([31.186.226.225]:17169)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <edou@rdklein.fr>) id 1qHNmP-00066b-Ba
 for 63904@debbugs.gnu.org; Thu, 06 Jul 2023 08:08:15 -0400
ARC-Seal: i=1; a=rsa-sha256; t=1688645291; cv=none; d=zohomail.eu; s=zohoarc; 
 b=iCpSvZ6/OQPJ+sViQMZNaMkMNs2FmRsVzqR3bCda9CQFdWh5kkgk6P33g9XpNSFngEyICEciVs/WSvJkEyw0WrIuQHAacAZPYMxSUcY0esQ0jViZDi2KkHhSBZn7JDAoAEUFTMIu9ziIvw05PTDlRT0ppESZHFk5JfRoPGAEisg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.eu;
 s=zohoarc; t=1688645291;
 h=Content-Type:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To;
 bh=07zKmM2Uzzc53aT7NB5/mhs0cgb7pWxsvihdoOK6xV0=; 
 b=aPELjcWPtdpKmpFZ80IcXfyrg04M9Gdt75l3wgLa8wvBEnw2+BMuIzZnMQMVD6eo/gKLjsmMRVr2TZugDnKbXTFFoeU2eeanSefsNUzktw+pvwQOIFbxTYyikaYJUIF5wBR2G60XIWeAFUIGhyZF0QgKCyVi18TIaNdoaJ/BDcQ=
ARC-Authentication-Results: i=1; mx.zohomail.eu;
 dkim=pass  header.i=rdklein.fr;
 spf=pass  smtp.mailfrom=edou@rdklein.fr;
 dmarc=pass header.from=<edou@rdklein.fr>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1688645291; 
 s=zoho; d=rdklein.fr; i=edou@rdklein.fr;
 h=References:From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:In-reply-to:Message-ID:MIME-Version:Content-Type:Message-Id:Reply-To;
 bh=07zKmM2Uzzc53aT7NB5/mhs0cgb7pWxsvihdoOK6xV0=;
 b=kVm03hPCtIyx1mK1w+aaIabVbo1JFwH/WDppsBj4Zt+Pq95PSs/pN4/GwhJq3M0p
 +eNPjVEW2fz9EkYil//czv37dAIOJxpwbUFuUkFg096aqX3ZLUIGXE56+3GCHekLp/w
 U2ACf4kOHfAOb8vLJ+OZ6yU/+PEDS98rSYB42zMsmCBC56RDl2MhGu6Auoj0jJ9aU5w
 JIx2txY0QFivMNKbcsu08RWvrYwUKs2OtMOZa0rSzMkvetjh1J9O2I3NZpE4B66bJuN
 GCJVwsNXlbPuvnUhkXq65MdftOGFEKa8j8iPqzOB449Ljtt12a4WP9CiYbFD39JsRKc
 g+rx2V9/UQ==
Received: from schwarzy (lfbn-idf3-1-667-244.w86-252.abo.wanadoo.fr
 [86.252.237.244]) by mx.zoho.eu
 with SMTPS id 1688645288999343.43815681767694;
 Thu, 6 Jul 2023 14:08:08 +0200 (CEST)
References: <87h6rmtdzk.fsf@rdklein.fr> <878rcxt4jt.fsf@rdklein.fr>
 <87edmma0bf.fsf@jpoiret.xyz>
User-agent: mu4e 1.10.2; emacs 28.2
From: Edouard Klein <edou@rdklein.fr>
Date: Thu, 06 Jul 2023 14:04:02 +0200
In-reply-to: <87edmma0bf.fsf@jpoiret.xyz>
Message-ID: <87edll9ra0.fsf@rdklein.fr>
MIME-Version: 1.0
Content-Type: text/plain
X-ZohoMailClient: External
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Thank you Josselin :)

I ended up basically reusing this code in my own system layer, while we
wait on 62726 to be merged.

Also, I needed a new keyword argument to change the name of the setuid
binary.

It works flawlessly, thanks !

Cheers,

Edouard.




Josselin Poiret <dev@jpoiret.xyz> writes:

> [[PGP Signed Part:Undecided]]
> Hi everyone,
>
> You might want to have a look at [1], which should resolve this.  I've
> held off on reviewing it for quite a bit but have talked on IRC recently
> with bjc about it.  With this approach, while cleaner, we'll need to
> identify which services rely on the setuid binaries being present, as
> well as ensure they're up before any interaction with the user is
> possible.
>
> [1] https://issues.guix.gnu.org/62726
>
> HTH,