services: setuid: More configurable setuid support.
New record <setuid-program> with fields for setting the specific user and group, as well as specifically selecting the setuid and setgid bits, for a program within the setuid-program-service. * gnu/services.scm (setuid-program-file-like-deprecated): New function. (setuid-program-service-type): Make use of setuid-program->activation-gexp. Adjust the extend property to handle <setuid-program>. * gnu/build/activation.scm (activate-setuid-programs): Update to expect a <setuid-record> list for each program entry. * gnu/system.scm: (operating-system-setuid-programs): Renamed to %operating-system-setuid-programs and replace it with new procedure. (operating-system-default-essential-services, hurd-default-essential-services): Replace operating-system-setuid-programs with %operating-system-setuid-programs. * gnu/system/setuid.scm: New file. * doc/guix.texi (Setuid Programs): Document <setuid-program>. Co-authored-by: Brice Waegeneire <brice@waegenei.re>
This commit is contained in:
parent
5a1ce6cf70
commit
a7ac19851b
@ -46,7 +46,7 @@ Copyright @copyright{} 2017 Federico Beffa@*
|
||||
Copyright @copyright{} 2017, 2018 Carlo Zancanaro@*
|
||||
Copyright @copyright{} 2017 Thomas Danckaert@*
|
||||
Copyright @copyright{} 2017 humanitiesNerd@*
|
||||
Copyright @copyright{} 2017, 2021 Christopher Lemmer Webber@*
|
||||
Copyright @copyright{} 2017, 2021 Christine Lemmer-Webber@*
|
||||
Copyright @copyright{} 2017, 2018, 2019, 2020 Marius Bakke@*
|
||||
Copyright @copyright{} 2017, 2019, 2020 Hartmut Goebel@*
|
||||
Copyright @copyright{} 2017, 2019, 2020, 2021 Maxim Cournoyer@*
|
||||
@ -32398,6 +32398,30 @@ package, can be designated by this G-expression (@pxref{G-Expressions}):
|
||||
#~(string-append #$shadow "/bin/passwd")
|
||||
@end example
|
||||
|
||||
@deftp {Data Type} setuid-program
|
||||
This data type represents a program with a setuid or setgid bit set.
|
||||
|
||||
@table @asis
|
||||
@item @code{program}
|
||||
A file-like object having its setuid and/or setgid bit set.
|
||||
|
||||
@item @code{setuid?} (default: @code{#t})
|
||||
Whether to set user setuid bit.
|
||||
|
||||
@item @code{setgid?} (default: @code{#f})
|
||||
Whether to set group setgid bit.
|
||||
|
||||
@item @code{user} (default: @code{0})
|
||||
UID (integer) or user name (string) for the user owner of the program,
|
||||
defaults to root.
|
||||
|
||||
@item @code{group} (default: @code{0})
|
||||
GID (integer) goup name (string) for the group owner of the program,
|
||||
defaults to root.
|
||||
|
||||
@end table
|
||||
@end deftp
|
||||
|
||||
A default set of setuid programs is defined by the
|
||||
@code{%setuid-programs} variable of the @code{(gnu system)} module.
|
||||
|
||||
|
@ -6,6 +6,8 @@
|
||||
;;; Copyright © 2018 Arun Isaac <arunisaac@systemreboot.net>
|
||||
;;; Copyright © 2018, 2019 Ricardo Wurmus <rekado@elephly.net>
|
||||
;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
|
||||
;;; Copyright © 2020 Christine Lemmer-Webber <cwebber@dustycloud.org>
|
||||
;;; Copyright © 2021 Brice Waegeneire <brice@waegenei.re>
|
||||
;;;
|
||||
;;; This file is part of GNU Guix.
|
||||
;;;
|
||||
@ -24,6 +26,7 @@
|
||||
|
||||
(define-module (gnu build activation)
|
||||
#:use-module (gnu system accounts)
|
||||
#:use-module (gnu system setuid)
|
||||
#:use-module (gnu build accounts)
|
||||
#:use-module (gnu build linux-boot)
|
||||
#:use-module (guix build utils)
|
||||
@ -279,14 +282,17 @@ they already exist."
|
||||
"/run/setuid-programs")
|
||||
|
||||
(define (activate-setuid-programs programs)
|
||||
"Turn PROGRAMS, a list of file names, into setuid programs stored under
|
||||
%SETUID-DIRECTORY."
|
||||
(define (make-setuid-program prog)
|
||||
"Turn PROGRAMS, a list of file setuid-programs record, into setuid programs
|
||||
stored under %SETUID-DIRECTORY."
|
||||
(define (make-setuid-program program setuid? setgid? uid gid)
|
||||
(let ((target (string-append %setuid-directory
|
||||
"/" (basename prog))))
|
||||
(copy-file prog target)
|
||||
(chown target 0 0)
|
||||
(chmod target #o4555)))
|
||||
"/" (basename program)))
|
||||
(mode (+ #o0555 ; base permissions
|
||||
(if setuid? #o4000 0) ; setuid bit
|
||||
(if setgid? #o2000 0)))) ; setgid bit
|
||||
(copy-file program target)
|
||||
(chown target uid gid)
|
||||
(chmod target mode)))
|
||||
|
||||
(format #t "setting up setuid programs in '~a'...~%"
|
||||
%setuid-directory)
|
||||
@ -302,15 +308,27 @@ they already exist."
|
||||
(for-each (lambda (program)
|
||||
(catch 'system-error
|
||||
(lambda ()
|
||||
(make-setuid-program program))
|
||||
(let* ((program-name (setuid-program-program program))
|
||||
(setuid? (setuid-program-setuid? program))
|
||||
(setgid? (setuid-program-setgid? program))
|
||||
(user (setuid-program-user program))
|
||||
(group (setuid-program-group program))
|
||||
(uid (match user
|
||||
((? string?) (passwd:uid (getpwnam user)))
|
||||
((? integer?) user)))
|
||||
(gid (match group
|
||||
((? string?) (group:gid (getgrnam group)))
|
||||
((? integer?) group))))
|
||||
(make-setuid-program program-name setuid? setgid? uid gid)))
|
||||
(lambda args
|
||||
;; If we fail to create a setuid program, better keep going
|
||||
;; so that we don't leave %SETUID-DIRECTORY empty or
|
||||
;; half-populated. This can happen if PROGRAMS contains
|
||||
;; incorrect file names: <https://bugs.gnu.org/38800>.
|
||||
(format (current-error-port)
|
||||
"warning: failed to make '~a' setuid-root: ~a~%"
|
||||
program (strerror (system-error-errno args))))))
|
||||
"warning: failed to make ~s setuid/setgid: ~a~%"
|
||||
(setuid-program-program program)
|
||||
(strerror (system-error-errno args))))))
|
||||
programs))
|
||||
|
||||
(define (activate-special-files special-files)
|
||||
|
@ -4,6 +4,8 @@
|
||||
;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org>
|
||||
;;; Copyright © 2020, 2021 Ricardo Wurmus <rekado@elephly.net>
|
||||
;;; Copyright © 2021 raid5atemyhomework <raid5atemyhomework@protonmail.com>
|
||||
;;; Copyright © 2020 Christine Lemmer-Webber <cwebber@dustycloud.org>
|
||||
;;; Copyright © 2020, 2021 Brice Waegeneire <brice@waegenei.re>
|
||||
;;;
|
||||
;;; This file is part of GNU Guix.
|
||||
;;;
|
||||
@ -40,6 +42,7 @@
|
||||
#:use-module (gnu packages base)
|
||||
#:use-module (gnu packages bash)
|
||||
#:use-module (gnu packages hurd)
|
||||
#:use-module (gnu system setuid)
|
||||
#:use-module (srfi srfi-1)
|
||||
#:use-module (srfi srfi-9)
|
||||
#:use-module (srfi srfi-9 gnu)
|
||||
@ -801,15 +804,49 @@ directory."
|
||||
FILES must be a list of name/file-like object pairs."
|
||||
(service etc-service-type files))
|
||||
|
||||
(define (setuid-program->activation-gexp programs)
|
||||
"Return an activation gexp for setuid-program from PROGRAMS."
|
||||
(let ((programs (map (lambda (program)
|
||||
;; FIXME This is really ugly, I didn't managed to use
|
||||
;; "inherit"
|
||||
(let ((program-name (setuid-program-program program))
|
||||
(setuid? (setuid-program-setuid? program))
|
||||
(setgid? (setuid-program-setgid? program))
|
||||
(user (setuid-program-user program))
|
||||
(group (setuid-program-group program)) )
|
||||
#~(setuid-program
|
||||
(setuid? #$setuid?)
|
||||
(setgid? #$setgid?)
|
||||
(user #$user)
|
||||
(group #$group)
|
||||
(program #$program-name))))
|
||||
programs)))
|
||||
(with-imported-modules (source-module-closure
|
||||
'((gnu system setuid)))
|
||||
#~(begin
|
||||
(use-modules (gnu system setuid))
|
||||
|
||||
(activate-setuid-programs (list #$@programs))))))
|
||||
|
||||
(define (setuid-program-file-like-deprecated file-like)
|
||||
(match file-like
|
||||
((? file-like? program)
|
||||
(warning
|
||||
(G_ "representing setuid programs with '~a' is \
|
||||
deprecated; use 'setuid-program' instead~%") program)
|
||||
(setuid-program (program program)))
|
||||
((? setuid-program? program)
|
||||
program)))
|
||||
|
||||
(define setuid-program-service-type
|
||||
(service-type (name 'setuid-program)
|
||||
(extensions
|
||||
(list (service-extension activation-service-type
|
||||
(lambda (programs)
|
||||
#~(activate-setuid-programs
|
||||
(list #$@programs))))))
|
||||
setuid-program->activation-gexp)))
|
||||
(compose concatenate)
|
||||
(extend append)
|
||||
(extend (lambda (config extensions)
|
||||
(map setuid-program-file-like-deprecated
|
||||
(append config extensions))))
|
||||
(description
|
||||
"Populate @file{/run/setuid-programs} with the specified
|
||||
executables, making them setuid-root.")))
|
||||
|
@ -7,7 +7,7 @@
|
||||
;;; Copyright © 2019 Meiyo Peng <meiyo.peng@gmail.com>
|
||||
;;; Copyright © 2019, 2020 Miguel Ángel Arruga Vivas <rosen644835@gmail.com>
|
||||
;;; Copyright © 2020 Danny Milosavljevic <dannym@scratchpost.org>
|
||||
;;; Copyright © 2020 Brice Waegeneire <brice@waegenei.re>
|
||||
;;; Copyright © 2020, 2021 Brice Waegeneire <brice@waegenei.re>
|
||||
;;; Copyright © 2020 Florian Pelz <pelzflorian@pelzflorian.de>
|
||||
;;; Copyright © 2020 Maxim Cournoyer <maxim.cournoyer@gmail.com>
|
||||
;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <jannek@gnu.org>
|
||||
@ -74,6 +74,7 @@
|
||||
#:use-module (gnu system locale)
|
||||
#:use-module (gnu system pam)
|
||||
#:use-module (gnu system linux-initrd)
|
||||
#:use-module (gnu system setuid)
|
||||
#:use-module (gnu system uuid)
|
||||
#:use-module (gnu system file-systems)
|
||||
#:use-module (gnu system mapped-devices)
|
||||
@ -267,7 +268,7 @@
|
||||
|
||||
(pam-services operating-system-pam-services ; list of PAM services
|
||||
(default (base-pam-services)))
|
||||
(setuid-programs operating-system-setuid-programs
|
||||
(setuid-programs %operating-system-setuid-programs
|
||||
(default %setuid-programs)) ; list of string-valued gexps
|
||||
|
||||
(sudoers-file operating-system-sudoers-file ; file-like
|
||||
@ -671,7 +672,7 @@ bookkeeping."
|
||||
(operating-system-environment-variables os))
|
||||
host-name procs root-fs
|
||||
(service setuid-program-service-type
|
||||
(operating-system-setuid-programs os))
|
||||
(%operating-system-setuid-programs os))
|
||||
(service profile-service-type
|
||||
(operating-system-packages os))
|
||||
other-fs
|
||||
@ -701,7 +702,7 @@ bookkeeping."
|
||||
(pam-root-service (operating-system-pam-services os))
|
||||
(operating-system-etc-service os)
|
||||
(service setuid-program-service-type
|
||||
(operating-system-setuid-programs os))
|
||||
(%operating-system-setuid-programs os))
|
||||
(service profile-service-type (operating-system-packages os)))))
|
||||
|
||||
(define* (operating-system-services os)
|
||||
@ -1065,6 +1066,11 @@ use 'plain-file' instead~%")
|
||||
;; TODO: Remove when glibc@2.23 is long gone.
|
||||
("GUIX_LOCPATH" . "/run/current-system/locale")))
|
||||
|
||||
(define (operating-system-setuid-programs os)
|
||||
"Return the setuid programs for OS, as a list of setuid-program record."
|
||||
(map file-like->setuid-program
|
||||
(%operating-system-setuid-programs os)))
|
||||
|
||||
(define %setuid-programs
|
||||
;; Default set of setuid-root programs.
|
||||
(let ((shadow (@ (gnu packages admin) shadow)))
|
||||
|
Loading…
Reference in New Issue
Block a user