GNU bug report logs - #73680
privileged-programs: cant set setuid/setgid to new accounts/groups

Previous Next

Package: guix;

Reported by: Dariqq <dariqq <at> posteo.net>

Date: Mon, 7 Oct 2024 14:56:02 UTC

Severity: normal

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Dariqq <dariqq <at> posteo.net>
Subject: bug#73680: closed (Re: [bug#73767] [PATCH] gnu: system: Privilege
 programs after creating accounts.)
Date: Thu, 24 Oct 2024 10:16:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#73680: privileged-programs: cant set setuid/setgid to new accounts/groups

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 73680 <at> debbugs.gnu.org.

-- 
73680: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=73680
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Ludovic Courtès <ludo <at> gnu.org>
To: Dariqq <dariqq <at> posteo.net>
Cc: 73767-done <at> debbugs.gnu.org, 73680-done <at> debbugs.gnu.org
Subject: Re: [bug#73767] [PATCH] gnu: system: Privilege programs after
 creating accounts.
Date: Thu, 24 Oct 2024 12:14:50 +0200

Hi Dariqq,

Dariqq <dariqq <at> posteo.net> skribis:

> Ensure that users and groups are already created when the privileging script
> runs. The order these scripts appear in the folded activation-service depends
> on the order these services are instantiated in the operating-system.
>
> Fixes https://issues.guix.gnu.org/73680.
>
> * gnu/system.scm (operating-system-default-essential-services): Move
> privileged-program-service above account-service.
> (hurd-default-essential-services): Likewise.
>
> Change-Id: I662fb1eff42e4088496fccb76e0efbf2b1da096e

[...]

> I would prefer a solution that also models this dependency to not depend on input order but this might be tricky.

Yes, that would be best.

I applied both patches and took the liberty to squash them: we usually
arrange to have the bug-fix and the test that exhibits the bug in the
same commit, for clarity.

Thanks for the investigation & fix!

Ludo’.


[Message part 3 (message/rfc822, inline)]
From: Dariqq <dariqq <at> posteo.net>
To: bug-guix <at> gnu.org
Subject: privileged-programs: cant set setuid/setgid to new accounts/groups
Date: Mon,  7 Oct 2024 14:55:16 +0000

Hi,

I was writing a service which (among other things) adds a setuid/setgid 
binary for new account+groupn. I got errors and warnings when trying to 
instantiate the operating system.


As a reproducer consider this os which tries to privilege the hello 
package to a hello user and group (I started this operating system with 
guix system container.):

#+begin_src scheme
(use-modules (gnu)
	     (gnu services))
(use-system-modules privilege shadow)
(use-package-modules base admin)

(define %hello-accounts
  (list (user-group (name "hello") (system? #t))
        (user-account
         (name "hello")
         (group "hello")
         (system? #t)
         (comment "hello user")
         (home-directory "/var/empty")
         (shell (file-append shadow "/sbin/nologin")))))

(define %hello-privileged
  (list
   (privileged-program
    (program (file-append hello "/bin/hello"))
    (setuid? #t)
    (setgid? #t)
    (user "hello")
    (group "hello"))))

(define hello-service-type
  (service-type
   (name 'hello)
   (extensions
    (list (service-extension account-service-type
                             (const %hello-accounts))
	  (service-extension privileged-program-service-type
                             (const %hello-privileged))))
   (default-value #f)
   (description "Hello Reproducer")))


(operating-system
  (host-name "hello-test")
  (services
   (cons (service hello-service-type) %base-services))
  (file-systems (cons (file-system
                        (device (file-system-label "my-root"))
                        (mount-point "/")
                        (type "ext4"))
                      %base-file-systems))
  (bootloader (bootloader-configuration
               (bootloader grub-bootloader)
               (targets '("/dev/sda")))))
#+end_src



*  when setuid? is #t (regardless of setgid?) I get a fatal error:

setting up privileged programs in '/run/privileged/bin'...
Backtrace:
[...]
In gnu/build/activation.scm:
   364:57  1 (_)
In unknown file:
           0 (getpw "hello")

ERROR: In procedure getpw:
In procedure getpw: entry not found

Which seems to indicate that the user does not yet exist?

* when setuid? is #f, user field is commented and setgid? #t there is a 
nonfatal warning, however privileging fails:

setting up privileged programs in '/run/privileged/bin'...
warning: failed to privilege 
"/gnu/store/8bjy9g0cssjrw9ljz2r8ww1sma95isfj-hello-2.12.1/bin/hello": No 
such file or directory

When the griup is changed to 0/"root" (the default) things work, i think 
because that account already exists.


As another example: the opensmtpd-service-type adds its utilties as 
setgid smtpq.

The systemtest is failing with the same error: 
https://ci.guix.gnu.org/build/6060982/details

From the log
warning: failed to privilege 
"/gnu/store/2ng9wzk5d13xcxhk7w7k5zzdm24shk91-opensmtpd-7.5.0p0/sbin/smtpctl": 
No such file or directory




However things are very weird because I have the opensmtpd server 
running and working locally.

maybe a weird race-condition between account-creation and setting up 
privileged programs? Can we ensure that the account creation always 
happens before privileged programs are created?
This bug report was last modified 260 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.