From unknown Sat Jun 21 10:40:33 2025 X-Loop: help-debbugs@gnu.org Subject: bug#73680: privileged-programs: cant set setuid/setgid to new accounts/groups Resent-From: Dariqq Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 07 Oct 2024 14:56:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 73680 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 73680@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.17283129493491 (code B ref -1); Mon, 07 Oct 2024 14:56:02 +0000 Received: (at submit) by debbugs.gnu.org; 7 Oct 2024 14:55:49 +0000 Received: from localhost ([127.0.0.1]:47329 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sxp9I-0000uF-TW for submit@debbugs.gnu.org; Mon, 07 Oct 2024 10:55:49 -0400 Received: from lists.gnu.org ([209.51.188.17]:51172) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sxp9G-0000u7-VF for submit@debbugs.gnu.org; Mon, 07 Oct 2024 10:55:47 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sxp97-0001da-Px for bug-guix@gnu.org; Mon, 07 Oct 2024 10:55:38 -0400 Received: from mout01.posteo.de ([185.67.36.65]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sxp94-0004xz-DM for bug-guix@gnu.org; Mon, 07 Oct 2024 10:55:36 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id 60225240027 for ; Mon, 7 Oct 2024 16:55:27 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1728312927; bh=J2Va+8xvHG9nzzm4J4iayOZch6Caz2nJs/Tu6FUjhcU=; h=Message-ID:Date:MIME-Version:To:From:Subject:Content-Type: Content-Transfer-Encoding:From; b=pO2N42r2QRKhOUvY7H2Q1lO/4UW6tskNT7RqNC3IjqAmm8MkvOrXlkQ/XpDyny5EQ qOkyNH+stlPs017zm6EyCv0vT6N/2wk8gvWQ837alBfJAjpWZJZ0J9w2Rs0Ot5fDLW Dxud32Qe6HNQsFHifsqtAY9VL0gXYpjPHgfDtvYnJBtSTE45G1aS1lz+joLCl+OCrM ZuUJA8VFAbRH0PEj7OKhMWsijQCvs4NCG6XK8bj8L2dfOsykmBAIqMqF5TZzJVcVr8 8WVjIhfdVsRNxK4543OmUZveWsddpObOvOQxSTwQQ4K42AydIdKj8Ni/jmqyhqmnZm XPQr+Z89gDOKA== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4XMhz30MFHz9rxD for ; Mon, 7 Oct 2024 16:55:26 +0200 (CEST) Message-ID: <32a02946-4d85-472c-9035-42cfe3663a3c@posteo.net> Date: Mon, 7 Oct 2024 14:55:16 +0000 MIME-Version: 1.0 Content-Language: en-US From: Dariqq Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=185.67.36.65; envelope-from=dariqq@posteo.net; helo=mout01.posteo.de X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) Hi, I was writing a service which (among other things) adds a setuid/setgid binary for new account+groupn. I got errors and warnings when trying to instantiate the operating system. As a reproducer consider this os which tries to privilege the hello package to a hello user and group (I started this operating system with guix system container.): #+begin_src scheme (use-modules (gnu) (gnu services)) (use-system-modules privilege shadow) (use-package-modules base admin) (define %hello-accounts (list (user-group (name "hello") (system? #t)) (user-account (name "hello") (group "hello") (system? #t) (comment "hello user") (home-directory "/var/empty") (shell (file-append shadow "/sbin/nologin"))))) (define %hello-privileged (list (privileged-program (program (file-append hello "/bin/hello")) (setuid? #t) (setgid? #t) (user "hello") (group "hello")))) (define hello-service-type (service-type (name 'hello) (extensions (list (service-extension account-service-type (const %hello-accounts)) (service-extension privileged-program-service-type (const %hello-privileged)))) (default-value #f) (description "Hello Reproducer"))) (operating-system (host-name "hello-test") (services (cons (service hello-service-type) %base-services)) (file-systems (cons (file-system (device (file-system-label "my-root")) (mount-point "/") (type "ext4")) %base-file-systems)) (bootloader (bootloader-configuration (bootloader grub-bootloader) (targets '("/dev/sda"))))) #+end_src * when setuid? is #t (regardless of setgid?) I get a fatal error: setting up privileged programs in '/run/privileged/bin'... Backtrace: [...] In gnu/build/activation.scm: 364:57 1 (_) In unknown file: 0 (getpw "hello") ERROR: In procedure getpw: In procedure getpw: entry not found Which seems to indicate that the user does not yet exist? * when setuid? is #f, user field is commented and setgid? #t there is a nonfatal warning, however privileging fails: setting up privileged programs in '/run/privileged/bin'... warning: failed to privilege "/gnu/store/8bjy9g0cssjrw9ljz2r8ww1sma95isfj-hello-2.12.1/bin/hello": No such file or directory When the griup is changed to 0/"root" (the default) things work, i think because that account already exists. As another example: the opensmtpd-service-type adds its utilties as setgid smtpq. The systemtest is failing with the same error: https://ci.guix.gnu.org/build/6060982/details From the log warning: failed to privilege "/gnu/store/2ng9wzk5d13xcxhk7w7k5zzdm24shk91-opensmtpd-7.5.0p0/sbin/smtpctl": No such file or directory However things are very weird because I have the opensmtpd server running and working locally. maybe a weird race-condition between account-creation and setting up privileged programs? Can we ensure that the account creation always happens before privileged programs are created? From unknown Sat Jun 21 10:40:33 2025 X-Loop: help-debbugs@gnu.org Subject: bug#73680: Acknowledgement (privileged-programs: cant set setuid/setgid to new accounts/groups) Resent-From: Dariqq Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 07 Oct 2024 20:32:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 73680 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 73680@debbugs.gnu.org Received: via spool by 73680-submit@debbugs.gnu.org id=B73680.17283331019689 (code B ref 73680); Mon, 07 Oct 2024 20:32:01 +0000 Received: (at 73680) by debbugs.gnu.org; 7 Oct 2024 20:31:41 +0000 Received: from localhost ([127.0.0.1]:48451 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sxuOK-0002WC-JK for submit@debbugs.gnu.org; Mon, 07 Oct 2024 16:31:40 -0400 Received: from mout01.posteo.de ([185.67.36.65]:50151) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sxuOH-0002Vt-Qr for 73680@debbugs.gnu.org; Mon, 07 Oct 2024 16:31:39 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id EFA3A240027 for <73680@debbugs.gnu.org>; Mon, 7 Oct 2024 22:31:20 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1728333080; bh=1Xfp/05UFGrrXVHzQQt6dnTZMliQEZFF0v/osU9Hu9U=; h=Message-ID:Date:MIME-Version:Subject:To:From:Content-Type: Content-Transfer-Encoding:From; b=PnmUyS25evUfMxBC5NTYZM8xguDo0Y0JDtvOKhp8IJ5Lqh4+F7/lex9pUHs6Pz7/O QKNYXnrTrvTzzlLY+8LXN0xqlJJ1z/jZS6YZQFCNPhHDYZ9ij8eIPaCPlG4aBS62ZP FjMA4BjUPYI18QvyoyiajQzkHDiymf2m7GL3bmMq4gcO7Jp15lG1BW1gkFuCyVq+M/ pxuzxOb2yRygZa7gKI8KOZo9Yenqz11kphoXxM8MGJbwCmwlm8bzUYB/aH4appKQ5F f5s3qdoP7J3Tfmw+7HiOsB/WslnJTg2eNH2FAKektEAZTQtSDoEeILB7Ivwe1nyvQy 0pyiAnWlAmFTA== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4XMrQc4SRFz9rxD for <73680@debbugs.gnu.org>; Mon, 7 Oct 2024 22:31:20 +0200 (CEST) Message-ID: <5c7a4291-cc53-447d-bbc8-33f69788eae8@posteo.net> Date: Mon, 7 Oct 2024 20:31:09 +0000 MIME-Version: 1.0 References: <32a02946-4d85-472c-9035-42cfe3663a3c@posteo.net> Content-Language: en-US From: Dariqq In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) I have also seen the message when reconfiguring a running system failed to privilege : Success This error seems to come from guiles getgrnam: (used by activate-privileged-programs to get the gid of a group) scheme@(guile-user)> (getgrnam "does-not-exist") ice-9/boot-9.scm:1685:16: In procedure raise-exception: In procedure getgr: Success Looking at man 3 getgrnam both a 0 or ENOENT return indicate that the gid was not found. Is /etc/groups being recreated on every boot and therefore not yet existing upon boot -> ENOENT? When /etc/groups already exists it returns 0 when not found (which guile interprets as success) ? I dont know why the getgrnam error is being caught by the (catch 'system-error ... ) and the equally invalid getpwnam is not which lead me to an unbootable configuration (reconfigure completing because the user already existed but not yet when ran at boot). I was looking at the extension-graph and the connection between privileged-programs and accounts is not being modeled. Not sure how this should work, because privileged-programs has less information about an account than account-service. Still no idea why opensmtpdsetgid is working on my system but when i run my config through guix system container it does not. From unknown Sat Jun 21 10:40:33 2025 X-Loop: help-debbugs@gnu.org Subject: bug#73680: privileged-programs: cant set setuid/setgid to new accounts/groups Resent-From: Dariqq Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 08 Oct 2024 10:47:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 73680 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 73680@debbugs.gnu.org Received: via spool by 73680-submit@debbugs.gnu.org id=B73680.172838437724894 (code B ref 73680); Tue, 08 Oct 2024 10:47:02 +0000 Received: (at 73680) by debbugs.gnu.org; 8 Oct 2024 10:46:17 +0000 Received: from localhost ([127.0.0.1]:51239 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sy7jN-0006TR-A1 for submit@debbugs.gnu.org; Tue, 08 Oct 2024 06:46:17 -0400 Received: from mout02.posteo.de ([185.67.36.66]:46991) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sy7jI-0006T9-03 for 73680@debbugs.gnu.org; Tue, 08 Oct 2024 06:46:15 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 8326A240101 for <73680@debbugs.gnu.org>; Tue, 8 Oct 2024 12:45:55 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1728384355; bh=uRj1X5nh2ACph8cmZD8J4fZDx+gUw2T/QrDjjEXcT5o=; h=Message-ID:Date:MIME-Version:Subject:From:To:Content-Type: Content-Transfer-Encoding:From; b=ggjbn5wWGT2L+uv40MNMkMTt/KysTTWqcZe+qw4TxZjQARe0MzWb+JpGRuOxRj1d3 3C7gl2npB0K6L2QFcBqL1JBUZV0zvIkEUjiL4VIZli9RBmMRJWhi6hH48ykmN0j93u IrfF+r6wj6GkOTbvtS8xkGxG4XD+Kp87XzcpjYn/LSYyaJ8JSp4VDcDWXLYGkemCXB 4yhrPEtDZ8VXsuJSQfbHyeiTSwdMPApL/OkLxnhTQXpeGD7HJwacJqwGkXbgy0IUJV Ape05ECx6LEBWYCuQA/pYbOqdbEFcKbMQ+hOo6ToqrZJdzbxaBAw5efA1DlPTiBat5 IiM9j6uGKTv+w== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4XNCNf4TDjz9rxG for <73680@debbugs.gnu.org>; Tue, 8 Oct 2024 12:45:54 +0200 (CEST) Message-ID: <82936b4e-f572-407a-a98d-1d5771c6ec37@posteo.net> Date: Tue, 8 Oct 2024 10:45:44 +0000 MIME-Version: 1.0 From: Dariqq References: <32a02946-4d85-472c-9035-42cfe3663a3c@posteo.net> <5c7a4291-cc53-447d-bbc8-33f69788eae8@posteo.net> Content-Language: en-US In-Reply-To: <5c7a4291-cc53-447d-bbc8-33f69788eae8@posteo.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) I downloaded the latest iso (https://ci.guix.gnu.org/build/6060923/details from yesterday) and tried to install opensmtpd in there. After the reconfigure i got the 'failed to privilege : Success' warning but upon reboot things were working. I think I know what is happening now: The *first* time we try to privilege something it fails because the group does not yet exist. After a reboot it is succeeeding because it is using the group info from the previous boot, because that has not been recreated yet. This seems to work for groups because the getgrnam error "group does not exist" is a 'system-error being caught by the exception handler, while the getpwnam-error "user does not exist" is a 'misc-error instead, causing a backtrace which aborts further activation scripts (that would create the user) As a simple workaround we could catch the getpwnam error too but this is not really solving anything and relies on previous state which might be incorrect. This is also really fragile. Another idea would be to run the account+user creating scripts as early as possible. Or as a more thorough solution model the dependency on users/groups directly to enforce the ordering (might be problematic because some activation scripts also requrie a user/group to set permissions which would make the extension graph not acyclic (accounts -> activation -> accounts). Maybe this is doable with a more minimal accounts service that only knows about users/group names? I am surprised this has not been causing issues earlier as also a lot of direct activation-extensions set ownership on directories (that this works seems like a lucky coincidence in how service-extension/service-folding works rather than a design consideration). From unknown Sat Jun 21 10:40:33 2025 X-Loop: help-debbugs@gnu.org Subject: bug#73680: privileged-programs: cant set setuid/setgid to new accounts/groups Resent-From: Dariqq Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 09 Oct 2024 16:37:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 73680 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 73680@debbugs.gnu.org Received: via spool by 73680-submit@debbugs.gnu.org id=B73680.17284917665329 (code B ref 73680); Wed, 09 Oct 2024 16:37:01 +0000 Received: (at 73680) by debbugs.gnu.org; 9 Oct 2024 16:36:06 +0000 Received: from localhost ([127.0.0.1]:57465 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1syZfR-0001Nt-ML for submit@debbugs.gnu.org; Wed, 09 Oct 2024 12:36:06 -0400 Received: from mout02.posteo.de ([185.67.36.66]:46559) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1syZfP-0001NP-1x for 73680@debbugs.gnu.org; Wed, 09 Oct 2024 12:36:04 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 60887240101 for <73680@debbugs.gnu.org>; Wed, 9 Oct 2024 18:35:47 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1728491747; bh=Z/sGcccBvvn/iEdzRFTep48gFiy2bGuYjaNfBVnGTN0=; h=Message-ID:Date:MIME-Version:Subject:From:To:Content-Type: Content-Transfer-Encoding:From; b=NxmWv5VHNb2N0uuqImsa1y3HP5zvscmmXeLcJVDpOcDt0ylZhm6wSH6tPFRqnRMj7 FFnDc+FUUexCXQ+BWc/Z7W0H2SKQdfbJT2c1lUYhBH1IacCOBkwgUxk+LCKVTJuhTD bRprVJsOqyKFj99j2FpWXzkevp1Lw+6wZWNFeqsUVxQUEWxfBU/COViKMIbe+8GvY1 GeWx0hUd1aV21+e5enKdxxnGi2S3bqptDu9zUbM6VVX2VGMAceb6LbNLX6jE+xKD8T MM4vcXxVRLvrT7q97bb1HTOrSSslzS1YdzdSuoetGVv4vpCvpWNYbcytRpOOiEh1x8 cDwAPE3c7GpHQ== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4XNz5v0bRbz9rxQ for <73680@debbugs.gnu.org>; Wed, 9 Oct 2024 18:35:47 +0200 (CEST) Message-ID: <26df374b-5cc8-4512-b276-05df5d4d2b6a@posteo.net> Date: Wed, 9 Oct 2024 16:35:36 +0000 MIME-Version: 1.0 From: Dariqq References: <32a02946-4d85-472c-9035-42cfe3663a3c@posteo.net> <5c7a4291-cc53-447d-bbc8-33f69788eae8@posteo.net> <82936b4e-f572-407a-a98d-1d5771c6ec37@posteo.net> Content-Language: en-US In-Reply-To: <82936b4e-f572-407a-a98d-1d5771c6ec37@posteo.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) The problem is the ordering of the services which is responsible for the order in the activation-service-type after folding: https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/system.scm#n808 It currently looks something like this (omitting some things) activation-service ... account-service etc-service ... privileged-program-service --- which are added to the folded activation-service in reverse order (one can check this by looking at the service-value of (fold-services (operating-system-services %os) #:target-type activation-service-type) I think the easiest solution would be to either move the privileged-program-service-type up or the account-service down. Because activation-service is above account-service users/groups are already available for direct activation-service extensions that set permission/ownership on files From unknown Sat Jun 21 10:40:33 2025 X-Loop: help-debbugs@gnu.org Subject: bug#73680: privileged-programs: cant set setuid/setgid to new accounts/groups Resent-From: Dariqq Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 09 Oct 2024 18:10:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 73680 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 73680@debbugs.gnu.org Received: via spool by 73680-submit@debbugs.gnu.org id=B73680.172849736223638 (code B ref 73680); Wed, 09 Oct 2024 18:10:01 +0000 Received: (at 73680) by debbugs.gnu.org; 9 Oct 2024 18:09:22 +0000 Received: from localhost ([127.0.0.1]:57604 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1syb7i-00069C-Av for submit@debbugs.gnu.org; Wed, 09 Oct 2024 14:09:22 -0400 Received: from mout01.posteo.de ([185.67.36.65]:38841) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1syb7d-00068q-SJ for 73680@debbugs.gnu.org; Wed, 09 Oct 2024 14:09:21 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id 50649240027 for <73680@debbugs.gnu.org>; Wed, 9 Oct 2024 20:08:59 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1728497339; bh=+QfTy09U73eZccPzXH8T68zroCulX29SkMHkS/e8lgo=; h=Message-ID:Date:MIME-Version:Subject:From:To:Content-Type: Content-Transfer-Encoding:From; b=bqZvUl4BRzcloB5pg9Htt9tOvxBBtdN2BbnVRARrdIdTSBzZO/b3wPiaT/wla9cgO XvsVxT/uTou8iwLMyegHlwREtK7MBDKrgboOpWgYEqQ6tiJwS7uKtjyXE97Xkpf/RK yoNpktr4mRsoD2UV31qcqYyS5LmXn3qoK5mh3+vt9i0No+Q/yNGA7IsZJ6DazrO/96 gnmKDoiFO8BIsITecxxn352MuRYSMLt3/4qu0CvWERFMGESpE2tBMVYFLFnLgCB1/4 KUgAdrz9qBT4Y5fK64V3NpdGfuNxo6A2UQVLe3dW9g4O50LLU1n/dnvT3Dc293b/xb BvhbS99l4pu5w== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4XP19Q6hn9z6twY for <73680@debbugs.gnu.org>; Wed, 9 Oct 2024 20:08:58 +0200 (CEST) Message-ID: Date: Wed, 9 Oct 2024 18:08:47 +0000 MIME-Version: 1.0 From: Dariqq References: <32a02946-4d85-472c-9035-42cfe3663a3c@posteo.net> <5c7a4291-cc53-447d-bbc8-33f69788eae8@posteo.net> <82936b4e-f572-407a-a98d-1d5771c6ec37@posteo.net> <26df374b-5cc8-4512-b276-05df5d4d2b6a@posteo.net> Content-Language: en-US In-Reply-To: <26df374b-5cc8-4512-b276-05df5d4d2b6a@posteo.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Regarding the opensmtpd test failure: THis is completely unrelated to the privileging problem (we invoke the unprivilegded one which results in a warning but we dont really use it and only check if mail gets delivered) THe problem is that we check /var/spool/mail for the mail but opensmtpd seems to deliver to /var/mail instead. From the buid log of opensmtpd: checking system mail directory... /var/mail from _PATH_MAILDIR From unknown Sat Jun 21 10:40:33 2025 X-Loop: help-debbugs@gnu.org Subject: bug#73680: privileged-programs: cant set setuid/setgid to new accounts/groups Resent-From: Dariqq Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sat, 12 Oct 2024 08:22:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 73680 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 73680@debbugs.gnu.org Received: via spool by 73680-submit@debbugs.gnu.org id=B73680.172872128318865 (code B ref 73680); Sat, 12 Oct 2024 08:22:02 +0000 Received: (at 73680) by debbugs.gnu.org; 12 Oct 2024 08:21:23 +0000 Received: from localhost ([127.0.0.1]:36234 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1szXNK-0004uB-RW for submit@debbugs.gnu.org; Sat, 12 Oct 2024 04:21:23 -0400 Received: from mout02.posteo.de ([185.67.36.66]:34509) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1szXNG-0004td-1p for 73680@debbugs.gnu.org; Sat, 12 Oct 2024 04:21:21 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id D7011240101 for <73680@debbugs.gnu.org>; Sat, 12 Oct 2024 10:20:55 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1728721255; bh=WIg2Q17dQCn9gPrZY+soW6Uz8zVIzb3s/dmQqg1OJvs=; h=Message-ID:Date:MIME-Version:Subject:From:To:Content-Type: Content-Transfer-Encoding:From; b=m9pqZqcy1mhj0dHHq/O27zNjTgiool5p/uZau2npjJcN/xMSAB5ByunpzxHlk3zdG x9cy7O179TwyHpM06TYyeN5J8ow21zPkK9F5ow5lt35pRn9sbkgGaHizWzQwINoWGo qCqSM+UXXqDJW2eB7295Dt3f9hiVdPbFBgC1FA0LPAtzpUaDUHbW/UUsGVSZMuGRtM z4fMTa5eO58l1zaRjv/8Q5mm+lCZKm8JqVkJEQb4ibp5641fDoBJoc5lhuX5OqDqHt CuhqGiDHxk6xnOSJrWXFMZ2xiW09P9UAFEdbBCrX6jtJxD8RLJEVpyaTOMMKPO2CK1 HEIqblR6hrJpQ== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4XQbzW2lGkz9rxL for <73680@debbugs.gnu.org>; Sat, 12 Oct 2024 10:20:54 +0200 (CEST) Message-ID: Date: Sat, 12 Oct 2024 08:20:43 +0000 MIME-Version: 1.0 From: Dariqq References: <32a02946-4d85-472c-9035-42cfe3663a3c@posteo.net> <5c7a4291-cc53-447d-bbc8-33f69788eae8@posteo.net> <82936b4e-f572-407a-a98d-1d5771c6ec37@posteo.net> <26df374b-5cc8-4512-b276-05df5d4d2b6a@posteo.net> Content-Language: en-US In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) I have sent a patch to reorder the default-services: https://issues.guix.gnu.org/73767 From unknown Sat Jun 21 10:40:33 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Dariqq Subject: bug#73680: closed (Re: [bug#73767] [PATCH] gnu: system: Privilege programs after creating accounts.) Message-ID: References: <87bjz924f9.fsf@gnu.org> <32a02946-4d85-472c-9035-42cfe3663a3c@posteo.net> X-Gnu-PR-Message: they-closed 73680 X-Gnu-PR-Package: guix Reply-To: 73680@debbugs.gnu.org Date: Thu, 24 Oct 2024 10:16:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1729764962-10995-1" This is a multi-part message in MIME format... ------------=_1729764962-10995-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #73680: privileged-programs: cant set setuid/setgid to new accounts/groups which was filed against the guix package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 73680@debbugs.gnu.org. --=20 73680: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D73680 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1729764962-10995-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 73680-done) by debbugs.gnu.org; 24 Oct 2024 10:15:33 +0000 Received: from localhost ([127.0.0.1]:33750 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3usP-0002kd-6t for submit@debbugs.gnu.org; Thu, 24 Oct 2024 06:15:33 -0400 Received: from eggs.gnu.org ([209.51.188.92]:38598) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3usL-0002kK-VH; Thu, 24 Oct 2024 06:15:31 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t3url-00065z-W5; Thu, 24 Oct 2024 06:14:54 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=4fVcqhdL+Kd0SBTt34h//N2NPnpZ02c6oGfr9HSJFB4=; b=WcxVWvPojWLHC3FtobOP UXJVU5Cyi0YlHq7huD/0siTTEJqf1fXBSCK9RyPEF7s6YheVUcWIKTil0PFxALvU/gUMuqCNdOa+D wfNjEj7be/h3a4m15zvfPXieRupZa6HxUZav5SsEdHEEMLEaxCkZoYHjJ+xfxQaepQV3us4epYxJO DyMO7kpr9r8engOJRxI1w3pVSFwYX0btII3utFvncDj7rjONlQpx6RYKSthnLKkYC38RuqTyySy+J G0uUIPL29/KR3HpLeRw2s1wxhUC58vIGwFNoU9gdU/xloTKjqknqmzhKQB8/Dx7czSNHUxuMHyAWj nJoAtEtQr7/mNw==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Dariqq Subject: Re: [bug#73767] [PATCH] gnu: system: Privilege programs after creating accounts. In-Reply-To: (dariqq@posteo.net's message of "Sat, 12 Oct 2024 07:55:58 +0000") References: Date: Thu, 24 Oct 2024 12:14:50 +0200 Message-ID: <87bjz924f9.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 73680-done Cc: 73767-done@debbugs.gnu.org, 73680-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi Dariqq, Dariqq skribis: > Ensure that users and groups are already created when the privileging scr= ipt > runs. The order these scripts appear in the folded activation-service dep= ends > on the order these services are instantiated in the operating-system. > > Fixes https://issues.guix.gnu.org/73680. > > * gnu/system.scm (operating-system-default-essential-services): Move > privileged-program-service above account-service. > (hurd-default-essential-services): Likewise. > > Change-Id: I662fb1eff42e4088496fccb76e0efbf2b1da096e [...] > I would prefer a solution that also models this dependency to not depend = on input order but this might be tricky. Yes, that would be best. I applied both patches and took the liberty to squash them: we usually arrange to have the bug-fix and the test that exhibits the bug in the same commit, for clarity. Thanks for the investigation & fix! Ludo=E2=80=99. ------------=_1729764962-10995-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 7 Oct 2024 14:55:49 +0000 Received: from localhost ([127.0.0.1]:47329 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sxp9I-0000uF-TW for submit@debbugs.gnu.org; Mon, 07 Oct 2024 10:55:49 -0400 Received: from lists.gnu.org ([209.51.188.17]:51172) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sxp9G-0000u7-VF for submit@debbugs.gnu.org; Mon, 07 Oct 2024 10:55:47 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sxp97-0001da-Px for bug-guix@gnu.org; Mon, 07 Oct 2024 10:55:38 -0400 Received: from mout01.posteo.de ([185.67.36.65]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sxp94-0004xz-DM for bug-guix@gnu.org; Mon, 07 Oct 2024 10:55:36 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id 60225240027 for ; Mon, 7 Oct 2024 16:55:27 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1728312927; bh=J2Va+8xvHG9nzzm4J4iayOZch6Caz2nJs/Tu6FUjhcU=; h=Message-ID:Date:MIME-Version:To:From:Subject:Content-Type: Content-Transfer-Encoding:From; b=pO2N42r2QRKhOUvY7H2Q1lO/4UW6tskNT7RqNC3IjqAmm8MkvOrXlkQ/XpDyny5EQ qOkyNH+stlPs017zm6EyCv0vT6N/2wk8gvWQ837alBfJAjpWZJZ0J9w2Rs0Ot5fDLW Dxud32Qe6HNQsFHifsqtAY9VL0gXYpjPHgfDtvYnJBtSTE45G1aS1lz+joLCl+OCrM ZuUJA8VFAbRH0PEj7OKhMWsijQCvs4NCG6XK8bj8L2dfOsykmBAIqMqF5TZzJVcVr8 8WVjIhfdVsRNxK4543OmUZveWsddpObOvOQxSTwQQ4K42AydIdKj8Ni/jmqyhqmnZm XPQr+Z89gDOKA== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4XMhz30MFHz9rxD for ; Mon, 7 Oct 2024 16:55:26 +0200 (CEST) Message-ID: <32a02946-4d85-472c-9035-42cfe3663a3c@posteo.net> Date: Mon, 7 Oct 2024 14:55:16 +0000 MIME-Version: 1.0 Content-Language: en-US To: bug-guix@gnu.org From: Dariqq Subject: privileged-programs: cant set setuid/setgid to new accounts/groups Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=185.67.36.65; envelope-from=dariqq@posteo.net; helo=mout01.posteo.de X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) Hi, I was writing a service which (among other things) adds a setuid/setgid binary for new account+groupn. I got errors and warnings when trying to instantiate the operating system. As a reproducer consider this os which tries to privilege the hello package to a hello user and group (I started this operating system with guix system container.): #+begin_src scheme (use-modules (gnu) (gnu services)) (use-system-modules privilege shadow) (use-package-modules base admin) (define %hello-accounts (list (user-group (name "hello") (system? #t)) (user-account (name "hello") (group "hello") (system? #t) (comment "hello user") (home-directory "/var/empty") (shell (file-append shadow "/sbin/nologin"))))) (define %hello-privileged (list (privileged-program (program (file-append hello "/bin/hello")) (setuid? #t) (setgid? #t) (user "hello") (group "hello")))) (define hello-service-type (service-type (name 'hello) (extensions (list (service-extension account-service-type (const %hello-accounts)) (service-extension privileged-program-service-type (const %hello-privileged)))) (default-value #f) (description "Hello Reproducer"))) (operating-system (host-name "hello-test") (services (cons (service hello-service-type) %base-services)) (file-systems (cons (file-system (device (file-system-label "my-root")) (mount-point "/") (type "ext4")) %base-file-systems)) (bootloader (bootloader-configuration (bootloader grub-bootloader) (targets '("/dev/sda"))))) #+end_src * when setuid? is #t (regardless of setgid?) I get a fatal error: setting up privileged programs in '/run/privileged/bin'... Backtrace: [...] In gnu/build/activation.scm: 364:57 1 (_) In unknown file: 0 (getpw "hello") ERROR: In procedure getpw: In procedure getpw: entry not found Which seems to indicate that the user does not yet exist? * when setuid? is #f, user field is commented and setgid? #t there is a nonfatal warning, however privileging fails: setting up privileged programs in '/run/privileged/bin'... warning: failed to privilege "/gnu/store/8bjy9g0cssjrw9ljz2r8ww1sma95isfj-hello-2.12.1/bin/hello": No such file or directory When the griup is changed to 0/"root" (the default) things work, i think because that account already exists. As another example: the opensmtpd-service-type adds its utilties as setgid smtpq. The systemtest is failing with the same error: https://ci.guix.gnu.org/build/6060982/details From the log warning: failed to privilege "/gnu/store/2ng9wzk5d13xcxhk7w7k5zzdm24shk91-opensmtpd-7.5.0p0/sbin/smtpctl": No such file or directory However things are very weird because I have the opensmtpd server running and working locally. maybe a weird race-condition between account-creation and setting up privileged programs? Can we ensure that the account creation always happens before privileged programs are created? ------------=_1729764962-10995-1--