@@ -358,7 +358,7 @@ System Configuration
* Keyboard Layout:: How the system interprets key strokes.
* Locales:: Language and cultural convention settings.
* Services:: Specifying system services.
-* Setuid Programs:: Programs running with elevated privileges.
+* Privileged Programs:: Programs running with elevated privileges.
* X.509 Certificates:: Authenticating HTTPS servers.
* Name Service Switch:: Configuring libc's name service switch.
* Initial RAM Disk:: Linux-Libre bootstrapping.
@@ -16146,7 +16146,7 @@ instance to support new system services.
* Keyboard Layout:: How the system interprets key strokes.
* Locales:: Language and cultural convention settings.
* Services:: Specifying system services.
-* Setuid Programs:: Programs running with elevated privileges.
+* Privileged Programs:: Programs running with elevated privileges.
* X.509 Certificates:: Authenticating HTTPS servers.
* Name Service Switch:: Configuring libc's name service switch.
* Initial RAM Disk:: Linux-Libre bootstrapping.
@@ -16591,9 +16591,9 @@ As a user you should @emph{never} need to touch this field.
Linux @dfn{pluggable authentication module} (PAM) services.
@c FIXME: Add xref to PAM services section.
-@item @code{setuid-programs} (default: @code{%setuid-programs})
-List of @code{<setuid-program>}. @xref{Setuid Programs}, for more
-information.
+@item @code{privileged-programs} (default: @code{%default-privileged-programs})
+List of @code{<privileged-program>}. @xref{Privileged Programs}, for
+more information.
@item @code{sudoers-file} (default: @code{%sudoers-specification})
@cindex sudoers file
@@ -22047,8 +22047,8 @@ Usually the X server is started by a login manager.
@deffn {Scheme Procedure} screen-locker-service @var{package} [@var{program}]
Add @var{package}, a package for a screen locker or screen saver whose
-command is @var{program}, to the set of setuid programs and add a PAM entry
-for it. For example:
+command is @var{program}, to the set of privileged programs and add a PAM
+entry for it. For example:
@lisp
(screen-locker-service xlockmore "xlock")
@@ -22965,9 +22965,9 @@ to operate with elevated privileges on a limited number of special-purpose
system interfaces. Additionally, adding a service of type
@code{mate-desktop-service-type} adds the MATE metapackage to the system
profile. ``Adding Enlightenment'' means that @code{dbus} is extended
-appropriately, and several of Enlightenment's binaries are set as setuid,
-allowing Enlightenment's screen locker and other functionality to work as
-expected.
+appropriately, and several of Enlightenment's binaries are set as privileged
+programs, allowing Enlightenment's screen locker and other functionality to
+work as expected.
The desktop environments in Guix use the Xorg display server by
default. If you'd like to use the newer display server protocol
@@ -25905,7 +25905,7 @@ remote servers. Run @command{man smtpd.conf} for more information.
Make the following commands setgid to @code{smtpq} so they can be
executed: @command{smtpctl}, @command{sendmail}, @command{send-mail},
@command{makemap}, @command{mailq}, and @command{newaliases}.
-@xref{Setuid Programs}, for more information on setgid programs.
+@xref{Privileged Programs}, for more information on setgid programs.
@end table
@end deftp
@@ -37704,8 +37704,8 @@ create and run application bundles (aka. ``containers''). The value for this
service is the Singularity package to use.
The service does not install a daemon; instead, it installs helper programs as
-setuid-root (@pxref{Setuid Programs}) such that unprivileged users can invoke
-@command{singularity run} and similar commands.
+setuid-root (@pxref{Privileged Programs}) such that unprivileged users can
+invoke @command{singularity run} and similar commands.
@end defvar
@cindex Audit
@@ -38136,11 +38136,14 @@ Mode for filter.
@c End of auto-generated fail2ban documentation.
-@node Setuid Programs
-@section Setuid Programs
+@node Privileged Programs
+@section Privileged Programs
+@cindex privileged programs
@cindex setuid programs
@cindex setgid programs
+@cindex capabilities, POSIX
+@cindex setcap
Some programs need to run with elevated privileges, even when they are
launched by unprivileged users. A notorious example is the
@command{passwd} program, which users can run to change their
@@ -38151,46 +38154,48 @@ obvious security reasons. To address that, @command{passwd} should be
(@pxref{How Change Persona,,, libc, The GNU C Library Reference Manual},
for more info about the setuid mechanism).
-The store itself @emph{cannot} contain setuid programs: that would be a
-security issue since any user on the system can write derivations that
+The store itself @emph{cannot} contain privileged programs: that would be
+a security issue since any user on the system can write derivations that
populate the store (@pxref{The Store}). Thus, a different mechanism is
-used: instead of changing the setuid or setgid bits directly on files that
-are in the store, we let the system administrator @emph{declare} which
+used: instead of directly granting permissions to files that are in
+the store, we let the system administrator @emph{declare} which
programs should be entrusted with these additional privileges.
-The @code{setuid-programs} field of an @code{operating-system}
-declaration contains a list of @code{<setuid-program>} denoting the
+The @code{privileged-programs} field of an @code{operating-system}
+declaration contains a list of @code{<privileged-program>} denoting the
names of programs to have a setuid or setgid bit set (@pxref{Using the
Configuration System}). For instance, the @command{mount.nfs} program,
which is part of the nfs-utils package, with a setuid root can be
designated like this:
@lisp
-(setuid-program
- (program (file-append nfs-utils "/sbin/mount.nfs")))
+(privileged-program
+ (program (file-append nfs-utils "/sbin/mount.nfs"))
+ (setuid? #t))
@end lisp
And then, to make @command{mount.nfs} setuid on your system, add the
previous example to your operating system declaration by appending it to
-@code{%setuid-programs} like this:
+@code{%default-privileged-programs} like this:
@lisp
(operating-system
;; Some fields omitted...
- (setuid-programs
- (append (list (setuid-program
- (program (file-append nfs-utils "/sbin/mount.nfs"))))
- %setuid-programs)))
+ (privileged-programs
+ (append (list (privileged-program
+ (program (file-append nfs-utils "/sbin/mount.nfs"))
+ (setuid? #t))
+ %default-privileged-programs)))
@end lisp
-@deftp {Data Type} setuid-program
-This data type represents a program with a setuid or setgid bit set.
+@deftp {Data Type} privileged-program
+This data type represents a program with special privileges, such as setuid
@table @asis
@item @code{program}
-A file-like object having its setuid and/or setgid bit set.
+A file-like object to which all given privileges should apply.
-@item @code{setuid?} (default: @code{#t})
+@item @code{setuid?} (default: @code{#f})
Whether to set user setuid bit.
@item @code{setgid?} (default: @code{#f})
@@ -38207,18 +38212,18 @@ defaults to root.
@end table
@end deftp
-A default set of setuid programs is defined by the
-@code{%setuid-programs} variable of the @code{(gnu system)} module.
+A default set of privileged programs is defined by the
+@code{%default-privileged-programs} variable of the @code{(gnu system)} module.
-@defvar %setuid-programs
-A list of @code{<setuid-program>} denoting common programs that are
-setuid-root.
+@defvar {Scheme Variable} %default-privileged-programs
+A list of @code{<privileged-program>} denoting common programs with
+elevated privileges.
The list includes commands such as @command{passwd}, @command{ping},
@command{su}, and @command{sudo}.
@end defvar
-Under the hood, the actual setuid programs are created in the
+Under the hood, the actual privileged programs are created in the
@file{/run/privileged/bin} directory at system activation time. The
files in this directory refer to the ``real'' binaries, which are in the
store.
@@ -39089,7 +39094,7 @@ once @command{reconfigure} has completed.
@end quotation
This effects all the configuration specified in @var{file}: user
-accounts, system services, global package list, setuid programs, etc.
+accounts, system services, global package list, privileged programs, etc.
The command starts system services specified in @var{file} that are not
currently running; if a service is currently running this command will
arrange for it to be upgraded the next time it is stopped (e.g.@: by
@@ -40535,10 +40540,10 @@ tiresome to create multiple records with it so in practice the procedure
@end quotation
@end defvar
-@defvar setuid-program-service-type
-Type for the ``setuid-program service''. This service collects lists of
+@defvar privileged-program-service-type
+Type for the ``privileged-program service''. This service collects lists of
executable file names, passed as gexps, and adds them to the set of
-setuid and setgid programs on the system (@pxref{Setuid Programs}).
+privileged programs on the system (@pxref{Privileged Programs}).
@end defvar
@defvar profile-service-type
@@ -499,7 +499,7 @@ (define-public tomb
`(#:make-flags (list (string-append "PREFIX=" (assoc-ref %outputs "out")))
;; The "sudo" input is needed only to satisfy dependency checks in the
;; 'check' phase. The "sudo" used at runtime should come from the
- ;; system's setuid-programs, so ensure no reference is kept.
+ ;; system's privileged-programs, so ensure no reference is kept.
#:disallowed-references (,sudo)
;; TODO: Build and install gtk and qt trays
#:phases
@@ -44,7 +44,6 @@ (define-module (gnu services)
#:use-module (gnu packages bash)
#:use-module (gnu packages hurd)
#:use-module (gnu system privilege)
- #:use-module (gnu system setuid)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-9)
#:use-module (srfi srfi-9 gnu)
@@ -75,6 +75,7 @@ (define-module (gnu system)
#:use-module (gnu system locale)
#:use-module (gnu system pam)
#:use-module (gnu system linux-initrd)
+ #:use-module (gnu system privilege)
#:use-module (gnu system setuid)
#:use-module (gnu system uuid)
#:use-module (gnu system file-systems)
@@ -128,6 +129,7 @@ (define-module (gnu system)
operating-system-keyboard-layout
operating-system-name-service-switch
operating-system-pam-services
+ operating-system-privileged-programs
operating-system-setuid-programs
operating-system-skeletons
operating-system-sudoers-file
@@ -173,6 +175,7 @@ (define-module (gnu system)
local-host-aliases ;deprecated
local-host-entries
%root-account
+ %default-privileged-programs
%setuid-programs
%sudoers-specification
%base-packages
@@ -296,7 +299,10 @@ (define-record-type* <operating-system> operating-system
(pam-services operating-system-pam-services ; list of PAM services
(default (base-pam-services)))
+ (privileged-programs operating-system-privileged-programs ; list of <privileged-program>
+ (default %default-privileged-programs))
(setuid-programs operating-system-setuid-programs
+ ;; For backwards compatibility; will be removed.
(default %setuid-programs)) ; list of <setuid-program>
(sudoers-file operating-system-sudoers-file ; file-like
@@ -785,7 +791,8 @@ (define known-fs
(host-name-service host-name)
procs root-fs
(service privileged-program-service-type
- (operating-system-setuid-programs os))
+ (append (operating-system-privileged-programs os)
+ (operating-system-setuid-programs os)))
(service profile-service-type
(operating-system-packages os))
boot-fs non-boot-fs
@@ -826,7 +833,8 @@ (define (hurd-default-essential-services os)
(service hosts-service-type
(local-host-entries host-name)))
(service privileged-program-service-type
- (operating-system-setuid-programs os))
+ (append (operating-system-privileged-programs os)
+ (operating-system-setuid-programs os)))
(service profile-service-type (operating-system-packages os)))))
(define* (operating-system-services os)
@@ -1213,8 +1221,7 @@ (define (operating-system-environment-variables os)
;; TODO: Remove when glibc@2.23 is long gone.
("GUIX_LOCPATH" . "/run/current-system/locale")))
-(define %setuid-programs
- ;; Default set of setuid-root programs.
+(define %default-privileged-programs
(let ((shadow (@ (gnu packages admin) shadow)))
(map file-like->setuid-program
(list (file-append shadow "/bin/passwd")
@@ -1236,6 +1243,12 @@ (define %setuid-programs
(file-append util-linux "/bin/mount")
(file-append util-linux "/bin/umount")))))
+(define %setuid-programs
+ ;; Do not add to this list or use it in new code! It's defined only to ease
+ ;; transition to %default-privileged-programs and will be removed. Some rare
+ ;; use cases already break, such as the obvious (remove … %setuid-programs).
+ '())
+
(define %sudoers-specification
;; Default /etc/sudoers contents: 'root' and all members of the 'wheel'
;; group can do anything. See