From patchwork Tue Jul 6 20:03:20 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Brice Waegeneire X-Patchwork-Id: 31206 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 192F027BC78; Tue, 6 Jul 2021 21:04:14 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-5.2 required=5.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 311B527BC81 for ; Tue, 6 Jul 2021 21:04:13 +0100 (BST) Received: from localhost ([::1]:50582 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1m0rIi-0004Sn-8f for patchwork@mira.cbaines.net; Tue, 06 Jul 2021 16:04:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:44268) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m0rIZ-0004OP-Hl for guix-patches@gnu.org; Tue, 06 Jul 2021 16:04:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:38744) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1m0rIZ-0007i3-9k for guix-patches@gnu.org; Tue, 06 Jul 2021 16:04:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1m0rIZ-0007jX-8r for guix-patches@gnu.org; Tue, 06 Jul 2021 16:04:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#44700] [PATCH v3 2/2] services: Migrate to . Resent-From: Brice Waegeneire Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 06 Jul 2021 20:04:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44700 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 44700@debbugs.gnu.org Cc: cwebber@dustycloud.org Received: via spool by 44700-submit@debbugs.gnu.org id=B44700.162560182729672 (code B ref 44700); Tue, 06 Jul 2021 20:04:03 +0000 Received: (at 44700) by debbugs.gnu.org; 6 Jul 2021 20:03:47 +0000 Received: from localhost ([127.0.0.1]:50284 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1m0rIF-0007iM-17 for submit@debbugs.gnu.org; Tue, 06 Jul 2021 16:03:47 -0400 Received: from relay5-d.mail.gandi.net ([217.70.183.197]:49075) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1m0rI4-0007he-9C for 44700@debbugs.gnu.org; Tue, 06 Jul 2021 16:03:33 -0400 Received: (Authenticated sender: brice@waegenei.re) by relay5-d.mail.gandi.net (Postfix) with ESMTPSA id A02FA1C0004; Tue, 6 Jul 2021 20:03:25 +0000 (UTC) From: Brice Waegeneire Date: Tue, 6 Jul 2021 22:03:20 +0200 Message-Id: <20210706200320.27113-3-brice@waegenei.re> X-Mailer: git-send-email 2.31.1 In-Reply-To: <87v95oeq58.fsf@dustycloud.org> References: <87v95oeq58.fsf@dustycloud.org> MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches * gnu/services/dbus.scm (dbus-setuid-programs, polkit-setuid-programs): Return setuid-programs. * gnu/services/desktop.scm (enlightenment-setuid-programs): Return setuid-programs. (%desktop-services)[mount-setuid-helpers]: Use setuid-programs. * gnu/services/docker.scm (singularity-setuid-programs): Return setuid-programs. * gnu/services/xorg.scm(screen-locker-setuid-programs): Return setuid-programs. * gnu/system.scm (%setuid-programs): Return setuid-programs. * doc/guix.texi (Setuid Programs, operating-system Reference): Replace 'list of G-expressions' with 'list of '. --- doc/guix.texi | 19 +++++++++++-------- gnu/services/dbus.scm | 13 +++++++++---- gnu/services/desktop.scm | 26 ++++++++++++++++---------- gnu/services/docker.scm | 9 ++++++--- gnu/services/xorg.scm | 4 +++- gnu/system.scm | 31 ++++++++++++++++--------------- 6 files changed, 61 insertions(+), 41 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index f7a72b9885..7919332521 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -13860,8 +13860,8 @@ Linux @dfn{pluggable authentication module} (PAM) services. @c FIXME: Add xref to PAM services section. @item @code{setuid-programs} (default: @code{%setuid-programs}) -List of string-valued G-expressions denoting setuid programs. -@xref{Setuid Programs}. +List of @code{}. @xref{Setuid Programs}, for more +information. @item @code{sudoers-file} (default: @code{%sudoers-specification}) @cindex sudoers file @@ -32421,13 +32421,15 @@ the store, we let the system administrator @emph{declare} which programs should be setuid root. The @code{setuid-programs} field of an @code{operating-system} -declaration contains a list of G-expressions denoting the names of -programs to be setuid-root (@pxref{Using the Configuration System}). -For instance, the @command{passwd} program, which is part of the Shadow -package, can be designated by this G-expression (@pxref{G-Expressions}): +declaration contains a list of @code{} denoting the +names of programs to have a setuid or setgid bit set (@pxref{Using the +Configuration System}). For instance, the @command{passwd} program, +which is part of the Shadow package, with a setuid root can be +designated like this: @example -#~(string-append #$shadow "/bin/passwd") +(setuid-program + (program (file-append #$shadow "/bin/passwd"))) @end example @deftp {Data Type} setuid-program @@ -32458,7 +32460,8 @@ A default set of setuid programs is defined by the @code{%setuid-programs} variable of the @code{(gnu system)} module. @defvr {Scheme Variable} %setuid-programs -A list of G-expressions denoting common programs that are setuid-root. +A list of @code{} denoting common programs that are +setuid-root. The list includes commands such as @command{passwd}, @command{ping}, @command{su}, and @command{sudo}. diff --git a/gnu/services/dbus.scm b/gnu/services/dbus.scm index af1a1e4c3a..e7b3dac166 100644 --- a/gnu/services/dbus.scm +++ b/gnu/services/dbus.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2019, 2020 Ludovic Courtès ;;; Copyright © 2015 Sou Bunnbu ;;; Copyright © 2021 Maxime Devos +;;; Copyright © 2021 Brice Waegeneire ;;; ;;; This file is part of GNU Guix. ;;; @@ -21,6 +22,7 @@ (define-module (gnu services dbus) #:use-module (gnu services) #:use-module (gnu services shepherd) + #:use-module (gnu system setuid) #:use-module (gnu system shadow) #:use-module (gnu system pam) #:use-module ((gnu packages glib) #:select (dbus)) @@ -156,10 +158,12 @@ includes the @code{etc/dbus-1/system.d} directories of each package listed in (shell (file-append shadow "/sbin/nologin"))))) (define dbus-setuid-programs - ;; Return the file name of the setuid program that we need. + ;; Return a list of for the program that we need. (match-lambda (($ dbus services) - (list (file-append dbus "/libexec/dbus-daemon-launch-helper"))))) + (list (setuid-program + (program (file-append + dbus "/libexec/dbus-daemon-launch-helper"))))))) (define (dbus-activation config) "Return an activation gexp for D-Bus using @var{config}." @@ -335,8 +339,9 @@ tuples, are all set as environment variables when the bus daemon launches it." (define polkit-setuid-programs (match-lambda (($ polkit) - (list (file-append polkit "/lib/polkit-1/polkit-agent-helper-1") - (file-append polkit "/bin/pkexec"))))) + (map file-like->setuid-program + (list (file-append polkit "/lib/polkit-1/polkit-agent-helper-1") + (file-append polkit "/bin/pkexec")))))) (define polkit-service-type (service-type (name 'polkit) diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index cd800fcc2b..64d0e85301 100644 --- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -12,6 +12,7 @@ ;;; Copyright © 2019 David Wilson ;;; Copyright © 2020 Tobias Geerinckx-Rice ;;; Copyright © 2020 Reza Alizadeh Majd +;;; Copyright © 2021 Brice Waegeneire ;;; ;;; This file is part of GNU Guix. ;;; @@ -40,6 +41,7 @@ #:use-module ((gnu system file-systems) #:select (%elogind-file-systems file-system)) #:use-module (gnu system) + #:use-module (gnu system setuid) #:use-module (gnu system shadow) #:use-module (gnu system pam) #:use-module (gnu packages glib) @@ -1034,14 +1036,15 @@ rules." (define (enlightenment-setuid-programs enlightenment-desktop-configuration) (match-record enlightenment-desktop-configuration - - (enlightenment) - (list (file-append enlightenment - "/lib/enlightenment/utils/enlightenment_sys") - (file-append enlightenment - "/lib/enlightenment/utils/enlightenment_system") - (file-append enlightenment - "/lib/enlightenment/utils/enlightenment_ckpasswd")))) + + (enlightenment) + (map file-like->setuid-program + (list (file-append enlightenment + "/lib/enlightenment/utils/enlightenment_sys") + (file-append enlightenment + "/lib/enlightenment/utils/enlightenment_system") + (file-append enlightenment + "/lib/enlightenment/utils/enlightenment_ckpasswd"))))) (define enlightenment-desktop-service-type (service-type @@ -1204,8 +1207,11 @@ or setting its password with passwd."))) ;; Allow desktop users to also mount NTFS and NFS file systems ;; without root. (simple-service 'mount-setuid-helpers setuid-program-service-type - (list (file-append nfs-utils "/sbin/mount.nfs") - (file-append ntfs-3g "/sbin/mount.ntfs-3g"))) + (map (lambda (program) + (setuid-program + (program program))) + (list (file-append nfs-utils "/sbin/mount.nfs") + (file-append ntfs-3g "/sbin/mount.ntfs-3g")))) ;; The global fontconfig cache directory can sometimes contain ;; stale entries, possibly referencing fonts that have been GC'd, diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm index be85316180..ef551480aa 100644 --- a/gnu/services/docker.scm +++ b/gnu/services/docker.scm @@ -4,6 +4,7 @@ ;;; Copyright © 2020, 2021 Maxim Cournoyer ;;; Copyright © 2020 Efraim Flashner ;;; Copyright © 2020 Jesse Dowell +;;; Copyright © 2021 Brice Waegeneire ;;; ;;; This file is part of GNU Guix. ;;; @@ -26,6 +27,7 @@ #:use-module (gnu services base) #:use-module (gnu services dbus) #:use-module (gnu services shepherd) + #:use-module (gnu system setuid) #:use-module (gnu system shadow) #:use-module (gnu packages docker) #:use-module (gnu packages linux) ;singularity @@ -195,9 +197,10 @@ bundles in Docker containers.") "-helper"))) '("action" "mount" "start"))))) - (list (file-append helpers "/singularity-action-helper") - (file-append helpers "/singularity-mount-helper") - (file-append helpers "/singularity-start-helper"))) + (map file-like->setuid-program + (list (file-append helpers "/singularity-action-helper") + (file-append helpers "/singularity-mount-helper") + (file-append helpers "/singularity-start-helper")))) (define singularity-service-type (service-type (name 'singularity) diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm index 8ffea3b9dd..d95f8beb7a 100644 --- a/gnu/services/xorg.scm +++ b/gnu/services/xorg.scm @@ -8,6 +8,7 @@ ;;; Copyright © 2020 shtwzrd ;;; Copyright © 2020 Jakub Kądziołka ;;; Copyright © 2020 Alex Griffin +;;; Copyright © 2021 Brice Waegeneire ;;; ;;; This file is part of GNU Guix. ;;; @@ -29,6 +30,7 @@ #:use-module (gnu services) #:use-module (gnu services shepherd) #:use-module (gnu system pam) + #:use-module (gnu system setuid) #:use-module (gnu system keyboard) #:use-module (gnu services base) #:use-module (gnu services dbus) @@ -681,7 +683,7 @@ reboot_cmd " shepherd "/sbin/reboot\n" #:allow-empty-passwords? empty?))))) (define screen-locker-setuid-programs - (compose list screen-locker-program)) + (compose list file-like->setuid-program screen-locker-program)) (define screen-locker-service-type (service-type (name 'screen-locker) diff --git a/gnu/system.scm b/gnu/system.scm index 385c36a484..681dd33630 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -1105,22 +1105,23 @@ use 'plain-file' instead~%") (define %setuid-programs ;; Default set of setuid-root programs. (let ((shadow (@ (gnu packages admin) shadow))) - (list (file-append shadow "/bin/passwd") - (file-append shadow "/bin/sg") - (file-append shadow "/bin/su") - (file-append shadow "/bin/newgrp") - (file-append shadow "/bin/newuidmap") - (file-append shadow "/bin/newgidmap") - (file-append inetutils "/bin/ping") - (file-append inetutils "/bin/ping6") - (file-append sudo "/bin/sudo") - (file-append sudo "/bin/sudoedit") - (file-append fuse "/bin/fusermount") + (map file-like->setuid-program + (list (file-append shadow "/bin/passwd") + (file-append shadow "/bin/sg") + (file-append shadow "/bin/su") + (file-append shadow "/bin/newgrp") + (file-append shadow "/bin/newuidmap") + (file-append shadow "/bin/newgidmap") + (file-append inetutils "/bin/ping") + (file-append inetutils "/bin/ping6") + (file-append sudo "/bin/sudo") + (file-append sudo "/bin/sudoedit") + (file-append fuse "/bin/fusermount") - ;; To allow mounts with the "user" option, "mount" and "umount" must - ;; be setuid-root. - (file-append util-linux "/bin/mount") - (file-append util-linux "/bin/umount")))) + ;; To allow mounts with the "user" option, "mount" and "umount" must + ;; be setuid-root. + (file-append util-linux "/bin/mount") + (file-append util-linux "/bin/umount"))))) (define %sudoers-specification ;; Default /etc/sudoers contents: 'root' and all members of the 'wheel'