From patchwork Sun Jul 16 00:00:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Tobias Geerinckx-Rice X-Patchwork-Id: 51878 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 4B1B227BBE9; Thu, 20 Jul 2023 21:44:05 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id C4F0D27BBEA for ; Thu, 20 Jul 2023 21:44:01 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qMaUP-0007Rx-4y; Thu, 20 Jul 2023 16:43:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qMaUM-0007QF-Fk for guix-patches@gnu.org; Thu, 20 Jul 2023 16:43:06 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qMaUM-0007Dm-73 for guix-patches@gnu.org; Thu, 20 Jul 2023 16:43:06 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qMaUM-0000ZU-2i for guix-patches@gnu.org; Thu, 20 Jul 2023 16:43:06 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#61462] [PATCH v2 10/10] system: Add privileged-programs to . Resent-From: Tobias Geerinckx-Rice Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 20 Jul 2023 20:43:06 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 61462 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 61462@debbugs.gnu.org Received: via spool by 61462-submit@debbugs.gnu.org id=B61462.16898857382064 (code B ref 61462); Thu, 20 Jul 2023 20:43:06 +0000 Received: (at 61462) by debbugs.gnu.org; 20 Jul 2023 20:42:18 +0000 Received: from localhost ([127.0.0.1]:60060 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qMaTZ-0000X8-Hj for submit@debbugs.gnu.org; Thu, 20 Jul 2023 16:42:18 -0400 Received: from tobias.gr ([2a02:c205:2020:6054::1]:51548) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qMaTR-0000V6-U3 for 61462@debbugs.gnu.org; Thu, 20 Jul 2023 16:42:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=2018; bh=6kkBI9n4TFSbC c3TeONf358gRsQ6d+f/X1w/baAoUc4=; h=references:in-reply-to:date: subject:to:from; d=tobias.gr; b=o4MrLctgJ29H+kHGQ+C6mKf3zkiCc8mJDVZqhr DmvJmfrzz7yXXO0KiCQDiL+QnPuTV1j/YPdPBoT+PmJyL2SV63fjmjoLMznOpmaxXm55ux dUpXQXxMEm7AiudJRRXCvk0bz36EUz2C6PQqhb8IgNKCmUKVlpNn68eeaGa122q9DXMf9V wYGd/HII2RHpPymLvnoGf7UlMphMELOq2xPiK6LPdNQMnfL/n1lPHy73o9w2UyzdjDkKGM +Sq3p62sKpIjFtyiwWcxCr1oJBK/0RUDteYXA+Bg6J16lS06K0koMB07+5SIQvbJla9sXh 5hIOso8i+afZUkDo0nX1zoig== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id af4e6bad (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for <61462@debbugs.gnu.org>; Thu, 20 Jul 2023 20:41:51 +0000 (UTC) Date: Sun, 16 Jul 2023 02:00:00 +0200 Message-ID: <4e0fe1db5ac68e78dcc5221896797fc452bbdde1.1689465600.git.me@tobias.gr> X-Mailer: git-send-email 2.41.0 In-Reply-To: <129e8d298556f6a159fcb704ed3df4bf0709ddd3.1689465600.git.me@tobias.gr> References: <129e8d298556f6a159fcb704ed3df4bf0709ddd3.1689465600.git.me@tobias.gr> MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Tobias Geerinckx-Rice X-ACL-Warn: , Tobias Geerinckx-Rice via Guix-patches X-Patchwork-Original-From: Tobias Geerinckx-Rice via Guix-patches via From: Tobias Geerinckx-Rice Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/system.scm (): Add new privileged-programs field, that defaults to… (%default-privileged-programs): …this new variable, renamed from… (%setuid-programs): …this, which is now defined as the empty list. * doc/guix.texi (Setuid Programs): Rename this… (Privileged Programs): …to this. Adjust all refs. Update all mentions of ‘setuid’ (whether in prose, variable names, or code samples) to use the new ‘privilege[d]’ terminology instead. (operating-system Reference, X Window, Desktop Services, Invoking guix system, Service Reference): Adjust likewise. --- doc/guix.texi | 89 ++++++++++++++++++++++------------------- gnu/packages/crypto.scm | 2 +- gnu/services.scm | 1 - gnu/system.scm | 21 ++++++++-- 4 files changed, 65 insertions(+), 48 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 9426c72e1e..0be8a2f4b5 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -362,7 +362,7 @@ Top * Keyboard Layout:: How the system interprets key strokes. * Locales:: Language and cultural convention settings. * Services:: Specifying system services. -* Setuid Programs:: Programs running with elevated privileges. +* Privileged Programs:: Programs running with elevated privileges. * X.509 Certificates:: Authenticating HTTPS servers. * Name Service Switch:: Configuring libc's name service switch. * Initial RAM Disk:: Linux-Libre bootstrapping. @@ -16712,7 +16712,7 @@ System Configuration * Keyboard Layout:: How the system interprets key strokes. * Locales:: Language and cultural convention settings. * Services:: Specifying system services. -* Setuid Programs:: Programs running with elevated privileges. +* Privileged Programs:: Programs running with elevated privileges. * X.509 Certificates:: Authenticating HTTPS servers. * Name Service Switch:: Configuring libc's name service switch. * Initial RAM Disk:: Linux-Libre bootstrapping. @@ -17159,9 +17159,9 @@ operating-system Reference Linux @dfn{pluggable authentication module} (PAM) services. @c FIXME: Add xref to PAM services section. -@item @code{setuid-programs} (default: @code{%setuid-programs}) -List of @code{}. @xref{Setuid Programs}, for more -information. +@item @code{privileged-programs} (default: @code{%default-privileged-programs}) +List of @code{}. @xref{Privileged Programs}, for +more information. @item @code{sudoers-file} (default: @code{%sudoers-specification}) @cindex sudoers file @@ -22760,10 +22760,10 @@ X Window @defvar screen-locker-service-type Type for a service that adds a package for a screen locker or screen -saver to the set of setuid programs and/or add a PAM entry for it. The +saver to the set of privileged programs and/or add a PAM entry for it. The value for this service is a @code{} object. -While the default behavior is to setup both a setuid program and PAM +While the default behavior is to setup both a privileged program and PAM entry, these two methods are redundant. Screen locker programs may not execute when PAM is configured and @code{setuid} is set on their executable. In this case, @code{using-setuid?} can be set to @code{#f}. @@ -23689,9 +23689,9 @@ Desktop Services system interfaces. Additionally, adding a service of type @code{mate-desktop-service-type} adds the MATE metapackage to the system profile. ``Adding Enlightenment'' means that @code{dbus} is extended -appropriately, and several of Enlightenment's binaries are set as setuid, -allowing Enlightenment's screen locker and other functionality to work as -expected. +appropriately, and several of Enlightenment's binaries are set as privileged +programs, allowing Enlightenment's screen locker and other functionality to +work as expected. The desktop environments in Guix use the Xorg display server by default. If you'd like to use the newer display server protocol @@ -26727,7 +26727,7 @@ Mail Services Make the following commands setgid to @code{smtpq} so they can be executed: @command{smtpctl}, @command{sendmail}, @command{send-mail}, @command{makemap}, @command{mailq}, and @command{newaliases}. -@xref{Setuid Programs}, for more information on setgid programs. +@xref{Privileged Programs}, for more information on setgid programs. @end table @end deftp @@ -38868,8 +38868,8 @@ Miscellaneous Services service is the Singularity package to use. The service does not install a daemon; instead, it installs helper programs as -setuid-root (@pxref{Setuid Programs}) such that unprivileged users can invoke -@command{singularity run} and similar commands. +setuid-root (@pxref{Privileged Programs}) such that unprivileged users can +invoke @command{singularity run} and similar commands. @end defvar @cindex Audit @@ -39300,11 +39300,14 @@ Miscellaneous Services @c End of auto-generated fail2ban documentation. -@node Setuid Programs -@section Setuid Programs +@node Privileged Programs +@section Privileged Programs +@cindex privileged programs @cindex setuid programs @cindex setgid programs +@cindex capabilities, POSIX +@cindex setcap Some programs need to run with elevated privileges, even when they are launched by unprivileged users. A notorious example is the @command{passwd} program, which users can run to change their @@ -39315,46 +39318,48 @@ Setuid Programs (@pxref{How Change Persona,,, libc, The GNU C Library Reference Manual}, for more info about the setuid mechanism). -The store itself @emph{cannot} contain setuid programs: that would be a -security issue since any user on the system can write derivations that +The store itself @emph{cannot} contain privileged programs: that would be +a security issue since any user on the system can write derivations that populate the store (@pxref{The Store}). Thus, a different mechanism is -used: instead of changing the setuid or setgid bits directly on files that -are in the store, we let the system administrator @emph{declare} which +used: instead of directly granting permissions to files that are in +the store, we let the system administrator @emph{declare} which programs should be entrusted with these additional privileges. -The @code{setuid-programs} field of an @code{operating-system} -declaration contains a list of @code{} denoting the +The @code{privileged-programs} field of an @code{operating-system} +declaration contains a list of @code{} denoting the names of programs to have a setuid or setgid bit set (@pxref{Using the Configuration System}). For instance, the @command{mount.nfs} program, which is part of the nfs-utils package, with a setuid root can be designated like this: @lisp -(setuid-program - (program (file-append nfs-utils "/sbin/mount.nfs"))) +(privileged-program + (program (file-append nfs-utils "/sbin/mount.nfs")) + (setuid? #t)) @end lisp And then, to make @command{mount.nfs} setuid on your system, add the previous example to your operating system declaration by appending it to -@code{%setuid-programs} like this: +@code{%default-privileged-programs} like this: @lisp (operating-system ;; Some fields omitted... - (setuid-programs - (append (list (setuid-program - (program (file-append nfs-utils "/sbin/mount.nfs")))) - %setuid-programs))) + (privileged-programs + (append (list (privileged-program + (program (file-append nfs-utils "/sbin/mount.nfs")) + (setuid? #t)) + %default-privileged-programs))) @end lisp -@deftp {Data Type} setuid-program -This data type represents a program with a setuid or setgid bit set. +@deftp {Data Type} privileged-program +This data type represents a program with special privileges, such as setuid @table @asis @item @code{program} -A file-like object having its setuid and/or setgid bit set. +A file-like object to which all given privileges should apply. -@item @code{setuid?} (default: @code{#t}) +@item @code{setuid?} (default: @code{#f}) Whether to set user setuid bit. @item @code{setgid?} (default: @code{#f}) @@ -39371,18 +39376,18 @@ Setuid Programs @end table @end deftp -A default set of setuid programs is defined by the -@code{%setuid-programs} variable of the @code{(gnu system)} module. +A default set of privileged programs is defined by the +@code{%default-privileged-programs} variable of the @code{(gnu system)} module. -@defvar %setuid-programs -A list of @code{} denoting common programs that are -setuid-root. +@defvar {Scheme Variable} %default-privileged-programs +A list of @code{} denoting common programs with +elevated privileges. The list includes commands such as @command{passwd}, @command{ping}, @command{su}, and @command{sudo}. @end defvar -Under the hood, the actual setuid programs are created in the +Under the hood, the actual privileged programs are created in the @file{/run/privileged/bin} directory at system activation time. The files in this directory refer to the ``real'' binaries, which are in the store. @@ -40276,7 +40281,7 @@ Invoking guix system @end quotation This effects all the configuration specified in @var{file}: user -accounts, system services, global package list, setuid programs, etc. +accounts, system services, global package list, privileged programs, etc. The command starts system services specified in @var{file} that are not currently running; if a service is currently running this command will arrange for it to be upgraded the next time it is stopped (e.g.@: by @@ -41649,10 +41654,10 @@ Service Reference pointing to the given file. @end defvar -@defvar setuid-program-service-type -Type for the ``setuid-program service''. This service collects lists of +@defvar privileged-program-service-type +Type for the ``privileged-program service''. This service collects lists of executable file names, passed as gexps, and adds them to the set of -setuid and setgid programs on the system (@pxref{Setuid Programs}). +privileged programs on the system (@pxref{Privileged Programs}). @end defvar @defvar profile-service-type diff --git a/gnu/packages/crypto.scm b/gnu/packages/crypto.scm index 91acedbc97..5c711e0cc6 100644 --- a/gnu/packages/crypto.scm +++ b/gnu/packages/crypto.scm @@ -501,7 +501,7 @@ (define-public tomb `(#:make-flags (list (string-append "PREFIX=" (assoc-ref %outputs "out"))) ;; The "sudo" input is needed only to satisfy dependency checks in the ;; 'check' phase. The "sudo" used at runtime should come from the - ;; system's setuid-programs, so ensure no reference is kept. + ;; system's privileged-programs, so ensure no reference is kept. #:disallowed-references (,sudo) ;; TODO: Build and install gtk and qt trays #:phases diff --git a/gnu/services.scm b/gnu/services.scm index 5cb7f37c06..a96d42099f 100644 --- a/gnu/services.scm +++ b/gnu/services.scm @@ -46,7 +46,6 @@ (define-module (gnu services) #:use-module (gnu packages bash) #:use-module (gnu packages hurd) #:use-module (gnu system privilege) - #:use-module (gnu system setuid) #:use-module (srfi srfi-1) #:use-module (srfi srfi-9) #:use-module (srfi srfi-9 gnu) diff --git a/gnu/system.scm b/gnu/system.scm index 39c10dddcb..572a0c19df 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -75,6 +75,7 @@ (define-module (gnu system) #:use-module (gnu system locale) #:use-module (gnu system pam) #:use-module (gnu system linux-initrd) + #:use-module (gnu system privilege) #:use-module (gnu system setuid) #:use-module (gnu system uuid) #:use-module (gnu system file-systems) @@ -128,6 +129,7 @@ (define-module (gnu system) operating-system-keyboard-layout operating-system-name-service-switch operating-system-pam-services + operating-system-privileged-programs operating-system-setuid-programs operating-system-skeletons operating-system-sudoers-file @@ -172,6 +174,7 @@ (define-module (gnu system) local-host-aliases ;deprecated %root-account + %default-privileged-programs %setuid-programs %sudoers-specification %base-packages @@ -295,7 +298,10 @@ (define-record-type* operating-system (pam-services operating-system-pam-services ; list of PAM services (default (base-pam-services))) + (privileged-programs operating-system-privileged-programs ; list of + (default %default-privileged-programs)) (setuid-programs operating-system-setuid-programs + ;; For backwards compatibility; will be removed. (default %setuid-programs)) ; list of (sudoers-file operating-system-sudoers-file ; file-like @@ -784,7 +790,8 @@ (define (operating-system-default-essential-services os) (service host-name-service-type host-name) procs root-fs (service privileged-program-service-type - (operating-system-setuid-programs os)) + (append (operating-system-privileged-programs os) + (operating-system-setuid-programs os))) (service profile-service-type (operating-system-packages os)) boot-fs non-boot-fs @@ -825,7 +832,8 @@ (define (hurd-default-essential-services os) (service hosts-service-type (local-host-entries host-name))) (service privileged-program-service-type - (operating-system-setuid-programs os)) + (append (operating-system-privileged-programs os) + (operating-system-setuid-programs os))) (service profile-service-type (operating-system-packages os))))) (define* (operating-system-services os) @@ -1202,8 +1210,7 @@ (define (operating-system-environment-variables os) ;; when /etc/machine-id is missing. Make sure these warnings are non-fatal. ("DBUS_FATAL_WARNINGS" . "0"))) -(define %setuid-programs - ;; Default set of setuid-root programs. +(define %default-privileged-programs (let ((shadow (@ (gnu packages admin) shadow))) (map file-like->setuid-program (list (file-append shadow "/bin/passwd") @@ -1225,6 +1232,12 @@ (define %setuid-programs (file-append util-linux "/bin/mount") (file-append util-linux "/bin/umount"))))) +(define %setuid-programs + ;; Do not add to this list or use it in new code! It's defined only to ease + ;; transition to %default-privileged-programs and will be removed. Some rare + ;; use cases already break, such as the obvious (remove … %setuid-programs). + '()) + (define %sudoers-specification ;; Default /etc/sudoers contents: 'root' and all members of the 'wheel' ;; group can do anything. See