GNU bug report logs - #73767
[PATCH] gnu: system: Privilege programs after creating accounts.

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Dariqq <dariqq <at> posteo.net>
Subject: bug#73767: closed (Re: [bug#73767] [PATCH] gnu: system: Privilege
 programs after creating accounts.)
Date: Thu, 24 Oct 2024 10:16:03 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#73767: [PATCH] gnu: system: Privilege programs after creating accounts.

which was filed against the guix-patches package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 73767 <at> debbugs.gnu.org.

-- 
73767: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=73767
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Ludovic Courtès <ludo <at> gnu.org>
To: Dariqq <dariqq <at> posteo.net>
Cc: 73767-done <at> debbugs.gnu.org, 73680-done <at> debbugs.gnu.org
Subject: Re: [bug#73767] [PATCH] gnu: system: Privilege programs after
 creating accounts.
Date: Thu, 24 Oct 2024 12:14:50 +0200

Hi Dariqq,

Dariqq <dariqq <at> posteo.net> skribis:

> Ensure that users and groups are already created when the privileging script
> runs. The order these scripts appear in the folded activation-service depends
> on the order these services are instantiated in the operating-system.
>
> Fixes https://issues.guix.gnu.org/73680.
>
> * gnu/system.scm (operating-system-default-essential-services): Move
> privileged-program-service above account-service.
> (hurd-default-essential-services): Likewise.
>
> Change-Id: I662fb1eff42e4088496fccb76e0efbf2b1da096e

[...]

> I would prefer a solution that also models this dependency to not depend on input order but this might be tricky.

Yes, that would be best.

I applied both patches and took the liberty to squash them: we usually
arrange to have the bug-fix and the test that exhibits the bug in the
same commit, for clarity.

Thanks for the investigation & fix!

Ludo’.

[Message part 3 (message/rfc822, inline)]

From: Dariqq <dariqq <at> posteo.net>
To: guix-patches <at> gnu.org
Cc: Dariqq <dariqq <at> posteo.net>
Subject: [PATCH] gnu: system: Privilege programs after creating accounts.
Date: Sat, 12 Oct 2024 07:55:58 +0000

Ensure that users and groups are already created when the privileging script
runs. The order these scripts appear in the folded activation-service depends
on the order these services are instantiated in the operating-system.

Fixes https://issues.guix.gnu.org/73680.

* gnu/system.scm (operating-system-default-essential-services): Move
privileged-program-service above account-service.
(hurd-default-essential-services): Likewise.

Change-Id: I662fb1eff42e4088496fccb76e0efbf2b1da096e
---
Hi,
I tested that this fixes my problem of setting something suid to a new user. For the hurd change i only looked at the final value of activation-service type in hurd-barebones-os and confirmed that
'#<gexp  gnu/system/shadow.scm:430:4>' is before  #<gexp  gnu/services.scm:922:6> (which is the privileging script).
I would prefer a solution that also models this dependency to not depend on input order but this might be tricky.


 gnu/system.scm | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/gnu/system.scm b/gnu/system.scm
index 44f93f91d1..c19730b331 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -809,6 +809,11 @@ (define (operating-system-default-essential-services os)
            %shepherd-root-service
 
            (pam-root-service (operating-system-pam-services os))
+           ;; Make sure that privileged-programs activation script
+           ;; runs after accounts are created
+           (service privileged-program-service-type
+                    (append (operating-system-privileged-programs os)
+                            (operating-system-setuid-programs os)))
            (account-service (append (operating-system-accounts os)
                                     (operating-system-groups os))
                             (operating-system-skeletons os))
@@ -826,9 +831,6 @@ (define (operating-system-default-essential-services os)
             (operating-system-environment-variables os))
            (service host-name-service-type host-name)
            procs root-fs
-           (service privileged-program-service-type
-                    (append (operating-system-privileged-programs os)
-                            (operating-system-setuid-programs os)))
            (service profile-service-type
                     (operating-system-packages os))
            boot-fs non-boot-fs
@@ -850,6 +852,11 @@ (define (hurd-default-essential-services os)
           (service shepherd-root-service-type)
 
           (service user-processes-service-type)
+          ;; Make sure that privileged-programs activation script
+          ;; runs after accounts are created
+          (service privileged-program-service-type
+                   (append (operating-system-privileged-programs os)
+                           (operating-system-setuid-programs os)))
           (account-service (append (operating-system-accounts os)
                                    (operating-system-groups os))
                            (operating-system-skeletons os))
@@ -866,9 +873,6 @@ (define (hurd-default-essential-services os)
                               (list `("hosts" ,hosts-file)))
               (service hosts-service-type
                        (local-host-entries host-name)))
-          (service privileged-program-service-type
-                   (append (operating-system-privileged-programs os)
-                           (operating-system-setuid-programs os)))
           (service profile-service-type (operating-system-packages os)))))
 
 (define* (operating-system-services os)

base-commit: b8fd792ea267cb920da0651074a533d8abf00488
-- 
2.46.0

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.