futurile/guix-play
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

system: Disallow file-like setuid-programs.

Browse Source 
It has been a warning for well over a year now.  Now, with
privileged-programs coming, don't let's support nested deprecation
hacks.

* gnu/system.scm (<operating-system>):
Don't ‘sanitize’ the setuid-programs field.
(ensure-setuid-program-list): Delete syntax.
(%ensure-setuid-program-list): Delete variable.
This commit is contained in:
Tobias Geerinckx-Rice 2022-10-23 02:00:00 +02:00
parent 6c045f2c9e
commit 0dffb851e0
No known key found for this signature in database
GPG Key ID: 0DB0FF884F556D79
1 changed files with 1 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
gnu/system.scm
View File

@ -302,8 +302,7 @@ VERSION is the target version of the boot-parameters record."
(pam-services operating-system-pam-services ; list of PAM services
(default (base-pam-services)))
(setuid-programs operating-system-setuid-programs
(default %setuid-programs) ; list of <setuid-program>
(sanitize ensure-setuid-program-list))
(default %setuid-programs)) ; list of <setuid-program>
(sudoers-file operating-system-sudoers-file ; file-like
(default %sudoers-specification))
@ -1240,31 +1239,6 @@ use 'plain-file' instead~%")
;; when /etc/machine-id is missing. Make sure these warnings are non-fatal.
("DBUS_FATAL_WARNINGS" . "0")))
;; Ensure LST is a list of <setuid-program> records and warn otherwise.
(define-with-syntax-properties (ensure-setuid-program-list (lst properties))
(%ensure-setuid-program-list lst properties))
;; We want to be able to use defines, so define a procedure.
(define (%ensure-setuid-program-list lst properties)
(define warned? #f)
(define (warn-once)
(unless warned?
(warning (source-properties->location properties)
(G_ "representing setuid programs with file-like objects is \
deprecated; use 'setuid-program' instead~%"))
(set! warned? #t)))
(map (match-lambda
((? setuid-program? program)
program)
(program
;; PROGRAM is a file-like or a gexp like #~(string-append #$foo
;; "/bin/bar").
(warn-once)
(setuid-program (program program))))
lst))
(define %setuid-programs
;; Default set of setuid-root programs.
(let ((shadow (@ (gnu packages admin) shadow)))