GNU bug report logs - #73680
privileged-programs: cant set setuid/setgid to new accounts/groups

Previous Next

Package: guix;

Reported by: Dariqq <dariqq <at> posteo.net>

Date: Mon, 7 Oct 2024 14:56:02 UTC

Severity: normal

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Dariqq <dariqq <at> posteo.net>
To: bug-guix <at> gnu.org
Subject: privileged-programs: cant set setuid/setgid to new accounts/groups
Date: Mon,  7 Oct 2024 14:55:16 +0000

Hi,

I was writing a service which (among other things) adds a setuid/setgid 
binary for new account+groupn. I got errors and warnings when trying to 
instantiate the operating system.


As a reproducer consider this os which tries to privilege the hello 
package to a hello user and group (I started this operating system with 
guix system container.):

#+begin_src scheme
(use-modules (gnu)
	     (gnu services))
(use-system-modules privilege shadow)
(use-package-modules base admin)

(define %hello-accounts
  (list (user-group (name "hello") (system? #t))
        (user-account
         (name "hello")
         (group "hello")
         (system? #t)
         (comment "hello user")
         (home-directory "/var/empty")
         (shell (file-append shadow "/sbin/nologin")))))

(define %hello-privileged
  (list
   (privileged-program
    (program (file-append hello "/bin/hello"))
    (setuid? #t)
    (setgid? #t)
    (user "hello")
    (group "hello"))))

(define hello-service-type
  (service-type
   (name 'hello)
   (extensions
    (list (service-extension account-service-type
                             (const %hello-accounts))
	  (service-extension privileged-program-service-type
                             (const %hello-privileged))))
   (default-value #f)
   (description "Hello Reproducer")))


(operating-system
  (host-name "hello-test")
  (services
   (cons (service hello-service-type) %base-services))
  (file-systems (cons (file-system
                        (device (file-system-label "my-root"))
                        (mount-point "/")
                        (type "ext4"))
                      %base-file-systems))
  (bootloader (bootloader-configuration
               (bootloader grub-bootloader)
               (targets '("/dev/sda")))))
#+end_src



*  when setuid? is #t (regardless of setgid?) I get a fatal error:

setting up privileged programs in '/run/privileged/bin'...
Backtrace:
[...]
In gnu/build/activation.scm:
   364:57  1 (_)
In unknown file:
           0 (getpw "hello")

ERROR: In procedure getpw:
In procedure getpw: entry not found

Which seems to indicate that the user does not yet exist?

* when setuid? is #f, user field is commented and setgid? #t there is a 
nonfatal warning, however privileging fails:

setting up privileged programs in '/run/privileged/bin'...
warning: failed to privilege 
"/gnu/store/8bjy9g0cssjrw9ljz2r8ww1sma95isfj-hello-2.12.1/bin/hello": No 
such file or directory

When the griup is changed to 0/"root" (the default) things work, i think 
because that account already exists.


As another example: the opensmtpd-service-type adds its utilties as 
setgid smtpq.

The systemtest is failing with the same error: 
https://ci.guix.gnu.org/build/6060982/details

From the log
warning: failed to privilege 
"/gnu/store/2ng9wzk5d13xcxhk7w7k5zzdm24shk91-opensmtpd-7.5.0p0/sbin/smtpctl": 
No such file or directory




However things are very weird because I have the opensmtpd server 
running and working locally.

maybe a weird race-condition between account-creation and setting up 
privileged programs? Can we ensure that the account creation always 
happens before privileged programs are created?
This bug report was last modified 211 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.