From patchwork Sun Feb 5 00:00:10 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Tobias Geerinckx-Rice X-Patchwork-Id: 46895 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id EB26616657; Sun, 12 Feb 2023 20:50:04 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 2004116651 for ; Sun, 12 Feb 2023 20:50:04 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pRJHU-0003oV-H2; Sun, 12 Feb 2023 15:49:04 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pRJHT-0003nt-3m for guix-patches@gnu.org; Sun, 12 Feb 2023 15:49:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pRJHS-0001fA-RY for guix-patches@gnu.org; Sun, 12 Feb 2023 15:49:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pRJHS-0004hW-FO for guix-patches@gnu.org; Sun, 12 Feb 2023 15:49:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#61462] [PATCH 01/10] system: Disallow file-like setuid-programs. References: <87r0uuehlr.fsf@nckx> In-Reply-To: <87r0uuehlr.fsf@nckx> Resent-From: Tobias Geerinckx-Rice Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 12 Feb 2023 20:49:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 61462 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 61462@debbugs.gnu.org Received: via spool by 61462-submit@debbugs.gnu.org id=B61462.167623492217924 (code B ref 61462); Sun, 12 Feb 2023 20:49:02 +0000 Received: (at 61462) by debbugs.gnu.org; 12 Feb 2023 20:48:42 +0000 Received: from localhost ([127.0.0.1]:46965 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pRJH7-0004f0-Tz for submit@debbugs.gnu.org; Sun, 12 Feb 2023 15:48:42 -0500 Received: from tobias.gr ([80.241.217.52]:55494) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pRJH6-0004er-Kl for 61462@debbugs.gnu.org; Sun, 12 Feb 2023 15:48:41 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=2018; bh=nF/hgv2p6t9O6 lO+N6CZRtIf9bo+/k1f6ne11MF0Llk=; h=date:subject:to:from; d=tobias.gr; b=Bsz/HHCy1TT4VpnuoTFD4qN5S6yazi1zKhqT/04b674+6Nwkn/19Ezh6iXSXJb7LNUIQ PwlPT6go/XkD77z8kfm5q3kyhHY2sUMhb/zjIFlUGDQK5SJ3viEURiKbo5NiTxzo3uwhsZ 4pxiW+dMnPC2l23bgyb+8UMwSZmTvym8/NGZiGLfIZK0XeqlnC7Qx6RE93AapUxn47Kf1o 6qMfKvACRt44LRbwb0pfdoEh+KELn9gs2egV1HSTuLG572AhSdYC3dM+3ECqka1RRTyCBD eSeZinPsuckN67T75egImLIZ784/YDI876sCWM5EspmrAm5FVEP8O/OA/ewf8eKQ== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 75cd3a89 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for <61462@debbugs.gnu.org>; Sun, 12 Feb 2023 20:48:37 +0000 (UTC) Date: Sun, 5 Feb 2023 01:00:10 +0100 Message-Id: <20230205000019.6259-1-me@tobias.gr> X-Mailer: git-send-email 2.39.1 MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Tobias Geerinckx-Rice X-ACL-Warn: , Tobias Geerinckx-Rice via Guix-patches X-Patchwork-Original-From: Tobias Geerinckx-Rice via Guix-patches via From: Tobias Geerinckx-Rice Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches It has been a warning for well over a year now. Now, with privileged-programs coming, don't let's support nested deprecation hacks. * gnu/system.scm (): Don't ‘sanitize’ the setuid-programs field. (ensure-setuid-program-list): Delete syntax. (%ensure-setuid-program-list): Delete variable. --- gnu/system.scm | 28 +--------------------------- 1 file changed, 1 insertion(+), 27 deletions(-) base-commit: 2b1383c0a2f79117103b142440c64f6a751d545d prerequisite-patch-id: 886fb4af654b597857d992a7c1e9c4bcc8bf5ab6 prerequisite-patch-id: 159d9e2558e5fb2dfc1d7442440e154dba14e500 prerequisite-patch-id: 2a1dffe5206b8a67cc544267d4ce4ddd23f3f290 prerequisite-patch-id: 992a4004d5fc0c427696da0b142942008c987083 prerequisite-patch-id: ee47c54ab1f9c72ee6974eca16aa311c80601048 prerequisite-patch-id: b50c71d9cc8fb39d18f448d9db6d61eca9f0f25b prerequisite-patch-id: 15aab9bfe126cf392055f82d0831ad2bd8622ad4 prerequisite-patch-id: 83928f7dc391bf556c5d4405ca966c60bfdfff4b prerequisite-patch-id: 4370270b5f1db400fe91d922da17390ef76d7962 prerequisite-patch-id: 1bf3ab2da9cb51156f6b28aac26b1c9e46f58f3c prerequisite-patch-id: e082433b46efa579b4026c24466af3bb375c66a9 prerequisite-patch-id: 37587dd99ea94d6fd06e5a85600364a9b9e30257 prerequisite-patch-id: 48b2c23df7636eb66789649d5465c5aba5551c6d prerequisite-patch-id: ee83168a69856ce6aacac6399af1e0f6b6126001 prerequisite-patch-id: 313f790e410773ccec61a27665d372b1f45b7236 prerequisite-patch-id: e82c8b9f3dd1b945f7cb937cf34f308b74759ca8 prerequisite-patch-id: ebd98ed22463fdb02fcfc5108a39bda89020cddd prerequisite-patch-id: aa023f744b32055ca87a6131b0791d7524f03749 prerequisite-patch-id: 780a9840ba83b219743a5d4847dcec3e6bd4eb4c prerequisite-patch-id: d337437b304428933fd187c3d38669f1ab6810f5 prerequisite-patch-id: 088d2163c05a955c2dc69c32cfd07a2c9bbb38fe prerequisite-patch-id: f49f51dfc2e47144c8c9b27534f4d041d4c0abce diff --git a/gnu/system.scm b/gnu/system.scm index df60fda53b..85380136e2 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -297,8 +297,7 @@ (define-record-type* operating-system (pam-services operating-system-pam-services ; list of PAM services (default (base-pam-services))) (setuid-programs operating-system-setuid-programs - (default %setuid-programs) ; list of - (sanitize ensure-setuid-program-list)) + (default %setuid-programs)) ; list of (sudoers-file operating-system-sudoers-file ; file-like (default %sudoers-specification)) @@ -1214,31 +1213,6 @@ (define (operating-system-environment-variables os) ;; TODO: Remove when glibc@2.23 is long gone. ("GUIX_LOCPATH" . "/run/current-system/locale"))) -;; Ensure LST is a list of records and warn otherwise. -(define-with-syntax-properties (ensure-setuid-program-list (lst properties)) - (%ensure-setuid-program-list lst properties)) - -;; We want to be able to use defines, so define a procedure. -(define (%ensure-setuid-program-list lst properties) - (define warned? #f) - - (define (warn-once) - (unless warned? - (warning (source-properties->location properties) - (G_ "representing setuid programs with file-like objects is \ -deprecated; use 'setuid-program' instead~%")) - (set! warned? #t))) - - (map (match-lambda - ((? setuid-program? program) - program) - (program - ;; PROGRAM is a file-like or a gexp like #~(string-append #$foo - ;; "/bin/bar"). - (warn-once) - (setuid-program (program program)))) - lst)) - (define %setuid-programs ;; Default set of setuid-root programs. (let ((shadow (@ (gnu packages admin) shadow)))