@@ -177,6 +177,8 @@ (define (machine-become-command machine)
(if (string= "root" (machine-ssh-configuration-user
(machine-configuration machine)))
'()
+ ;; Use the old setuid-programs location until the remote is likely to
+ ;; have the new /run/privileged one in place.
'("/run/setuid-programs/sudo" "-n" "--")))
(define (managed-host-remote-eval machine exp)
@@ -199,7 +199,7 @@ (define-public ktsuss
(lambda _
(substitute* "configure.ac"
(("supath=`which su 2>/dev/null`")
- "supath=/run/setuid-programs/su"))
+ "supath=/run/privileged/bin/su"))
#t)))))
(native-inputs
(list autoconf automake libtool pkg-config))
@@ -2086,7 +2086,7 @@ (define-public opendoas
(substitute* "doas.c"
(("safepath =" match)
(string-append match " \""
- "/run/setuid-programs:"
+ "/run/privileged/bin:"
"/run/current-system/profile/bin:"
"/run/current-system/profile/sbin:"
"\" ")))))
@@ -4863,7 +4863,7 @@ (define-public hosts
":" (assoc-ref %build-inputs "grep") "/bin"
":" (assoc-ref %build-inputs "ncurses") "/bin"
":" (assoc-ref %build-inputs "sed") "/bin"
- ":" "/run/setuid-programs"
+ ":" "/run/privileged/bin"
":" (getenv "PATH")))
(substitute* "hosts"
(("#!/usr/bin/env bash")
@@ -236,7 +236,7 @@ (define-public slirp4netns
(add-after 'unpack 'fix-hardcoded-paths
(lambda _
(substitute* (find-files "tests" "\\.sh")
- (("ping") "/run/setuid-programs/ping")))))))
+ (("ping") "/run/privileged/bin/ping")))))))
(inputs
(list glib
libcap
@@ -493,8 +493,8 @@ (define-public pbuilder
(lambda ()
(format #t "# A couple of presets to make this work more smoothly.~@
MIRRORSITE=\"http://deb.debian.org/debian\"~@
- if [ -r /run/setuid-programs/sudo ]; then~@
- PBUILDERROOTCMD=\"/run/setuid-programs/sudo -E\"~@
+ if [ -r /run/privileged/bin/sudo ]; then~@
+ PBUILDERROOTCMD=\"/run/privileged/bin/sudo -E\"~@
fi~@
PBUILDERSATISFYDEPENDSCMD=\"~a/lib/pbuilder/pbuilder-satisfydepends-apt\"~%"
#$output)))))
@@ -198,10 +198,10 @@ (define-public udevil
;; udevil expects these programs to be run with uid set as root.
;; user has to manually add these programs to setuid-programs.
;; mount and umount are default setuid-programs in guix system.
- "--with-mount-prog=/run/setuid-programs/mount"
- "--with-umount-prog=/run/setuid-programs/umount"
- "--with-losetup-prog=/run/setuid-programs/losetup"
- "--with-setfacl-prog=/run/setuid-programs/setfacl")
+ "--with-mount-prog=/run/privileged/bin/mount"
+ "--with-umount-prog=/run/privileged/bin/umount"
+ "--with-losetup-prog=/run/privileged/bin/losetup"
+ "--with-setfacl-prog=/run/privileged/bin/setfacl")
#:phases
(modify-phases %standard-phases
(add-after 'unpack 'remove-root-reference
@@ -212,12 +212,12 @@ (define-public udevil
(add-after 'unpack 'patch-udevil-reference
;; udevil expects itself to be run with uid set as root.
;; devmon also expects udevil to be run with uid set as root.
- ;; user has to manually add udevil to setuid-programs.
+ ;; user has to manually add udevil to privileged-programs.
(lambda _
(substitute* "src/udevil.c"
- (("/usr/bin/udevil") "/run/setuid-programs/udevil"))
+ (("/usr/bin/udevil") "/run/privileged/bin/udevil"))
(substitute* "src/devmon"
- (("`which udevil 2>/dev/null`") "/run/setuid-programs/udevil"))
+ (("`which udevil 2>/dev/null`") "/run/privileged/bin/udevil"))
#t)))))
(native-inputs
(list intltool pkg-config))
@@ -150,8 +150,8 @@ (define-public efl
"-Dbuild-examples=false"
"-Decore-imf-loaders-disabler=scim"
"-Dglib=true"
- "-Dmount-path=/run/setuid-programs/mount"
- "-Dunmount-path=/run/setuid-programs/umount"
+ "-Dmount-path=/run/privileged/bin/mount"
+ "-Dunmount-path=/run/privileged/bin/umount"
"-Dnetwork-backend=connman"
,,@(if (member (%current-system)
(package-transitive-supported-systems luajit))
@@ -339,7 +339,7 @@ (define-public enlightenment
(substitute* '("src/bin/e_sys_main.c"
"src/bin/e_util_suid.h")
(("PATH=/bin:/usr/bin:/sbin:/usr/sbin")
- (string-append "PATH=/run/setuid-programs:"
+ (string-append "PATH=/run/privileged/bin:"
"/run/current-system/profile/bin:"
"/run/current-system/profile/sbin")))
(substitute* "src/modules/everything/evry_plug_calc.c"
@@ -348,8 +348,8 @@ (define-public enlightenment
(("libddcutil\\.so\\.?" libddcutil)
(string-append ddcutil "/lib/" libddcutil)))
(substitute* "data/etc/meson.build"
- (("/bin/mount") "/run/setuid-programs/mount")
- (("/bin/umount") "/run/setuid-programs/umount")
+ (("/bin/mount") "/run/privileged/bin/mount")
+ (("/bin/umount") "/run/privileged/bin/umount")
(("/usr/bin/eject") "/run/current-system/profile/bin/eject"))
(substitute* "src/bin/system/e_system_power.c"
(("systemctl") "loginctl"))))))))
@@ -9013,7 +9013,7 @@ (define-public gdm
"--localstatedir=/var"
(string-append "-Ddefault-path="
- (string-join '("/run/setuid-programs"
+ (string-join '("/run/privileged/bin"
"/run/current-system/profile/bin"
"/run/current-system/profile/sbin")
":"))
@@ -9290,7 +9290,7 @@ (define-public gnome-control-center
inputs "bin/nm-connection-editor"))))
(substitute* "panels/user-accounts/run-passwd.c"
(("/usr/bin/passwd")
- "/run/setuid-programs/passwd"))
+ "/run/privileged/bin/passwd"))
(substitute* "panels/info-overview/cc-info-overview-panel.c"
(("DATADIR \"/gnome/gnome-version.xml\"")
(format #f "~s" (search-input-file
@@ -5027,7 +5027,7 @@ (define-public singularity
(substitute* (find-files "libexec/cli" "\\.exec$")
(("\\$SINGULARITY_libexecdir/singularity/bin/([a-z]+)-suid"
_ program)
- (string-append "/run/setuid-programs/singularity-"
+ (string-append "/run/privileged/bin/singularity-"
program "-helper")))
;; These squashfs mount options are apparently no longer
@@ -372,26 +372,23 @@ (define-public spacefm
(substitute* '("mime-type/mime-type.c" "ptk/ptk-file-menu.c")
(("/usr(/local)?/share/mime") mime)))
#t)))
- (add-after 'patch-mime-dirs 'patch-setuid-progs
+ (add-after 'patch-mime-dirs 'patch-privileged-programs
(lambda _
- (let* ((su "/run/setuid-programs/su")
- (mount "/run/setuid-programs/mount")
- (umount "/run/setuid-programs/umount")
- (udevil "/run/setuid-programs/udevil"))
+ (let ((privileged (lambda (command)
+ (string-append "/run/privileged/bin/"
+ command))))
(with-directory-excursion "src"
(substitute* '("settings.c" "settings.h" "vfs/vfs-file-task.c"
"vfs/vfs-volume-hal.c" "../data/ui/prefdlg.ui"
"../data/ui/prefdlg2.ui")
- (("(/usr)?/bin/su") su)
- (("/(bin|sbin)/mount") mount)
- (("/(bin|sbin)/umount") umount)
- (("/usr/bin/udevil") udevil)))
+ (("(/usr)?/s?bin/(mount|umount|su|udevil)" _ _ command)
+ (privileged command))))
#t)))
- (add-after 'patch-setuid-progs 'patch-spacefm-conf
+ (add-after 'patch-privileged-programs 'patch-spacefm.conf
(lambda* (#:key inputs #:allow-other-keys)
(substitute* "etc/spacefm.conf"
(("#terminal_su=/bin/su")
- "terminal_su=/run/setuid-programs/su")
+ "terminal_su=/run/privileged/bin/su")
(("#graphical_su=/usr/bin/gksu")
(string-append "graphical_su="
(search-input-file inputs "/bin/ktsuss")))))))
@@ -187,7 +187,7 @@ (define-public zabbix-agentd
"src/zabbix_server/server.c")
;; 'fping' must be setuid, so look for it in the usual location.
(("/usr/sbin/fping6?")
- "/run/setuid-programs/fping")))))
+ "/run/privileged/bin/fping")))))
(build-system gnu-build-system)
(arguments
(list #:configure-flags
@@ -761,7 +761,7 @@ (define-public ganeti
;; hard coded PATH. Patch so it works on Guix System.
(substitute* "src/Ganeti/Constants.hs"
(("/sbin:/bin:/usr/sbin:/usr/bin")
- "/run/setuid-programs:/run/current-system/profile/sbin:\
+ "/run/privileged/bin:/run/current-system/profile/sbin:\
/run/current-system/profile/bin"))))
(add-after 'bootstrap 'patch-sphinx-version-detection
(lambda _
@@ -2434,7 +2434,7 @@ (define-public xsecurelock
'(#:configure-flags
'("--with-pam-service-name=login"
"--with-xkb"
- "--with-default-authproto-module=/run/setuid-programs/authproto_pam")))
+ "--with-default-authproto-module=/run/privileged/bin/authproto_pam")))
(native-inputs
(list pandoc pkg-config))
(inputs
@@ -114,7 +114,7 @@ (define (services->sxml services)
;; failures such as <https://issues.guix.gnu.org/52051> on slow
;; computers with slow I/O.
(limit (@ (name "auth_timeout")) "300000")
- (servicehelper "/run/setuid-programs/dbus-daemon-launch-helper")
+ (servicehelper "/run/privileged/bin/dbus-daemon-launch-helper")
;; First, the '.service' files of services subject to activation.
;; We use a fixed location under /etc because the setuid helper
@@ -182,7 +182,7 @@ (define-module (gnu services ganeti)
;; Ceph, Gluster, etc, without having to add absolute references to everything.
(define %default-ganeti-environment-variables
(list (string-append "PATH="
- (string-join '("/run/setuid-programs"
+ (string-join '("/run/privileged/bin"
"/run/current-system/profile/sbin"
"/run/current-system/profile/bin")
":"))))
@@ -544,7 +544,7 @@ (define (zabbix-agent-shepherd-service config)
/etc/ssl/certs"
"SSL_CERT_FILE=/run/current-system/profile\
/etc/ssl/certs/ca-certificates.crt"
- "PATH=/run/setuid-programs:\
+ "PATH=/run/privileged/bin:\
/run/current-system/profile/bin:/run/current-system/profile/sbin")))
(stop #~(make-kill-destructor)))))
@@ -144,7 +144,7 @@ (define marionette
(test-assert "Can become LDAP user"
(marionette-eval
- '(zero? (system* "/run/setuid-programs/su" "eva" "-c"
+ '(zero? (system* "/run/privileged/bin/su" "eva" "-c"
#$(file-append coreutils "/bin/true")))
marionette))
@@ -189,11 +189,11 @@ (define marionette
(start-service 'postgres))
marionette))
- ;; Add /run/setuid-programs to $PATH so that the scripts passed to
+ ;; Add privileged programs to $PATH so that the scripts passed to
;; 'system' can find 'sudo'.
(marionette-eval
'(setenv "PATH"
- "/run/setuid-programs:/run/current-system/profile/bin")
+ "/run/privileged/bin:/run/current-system/profile/bin")
marionette)
(test-eq "postgres create zabbix user"