From patchwork Fri Oct 18 13:21:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dariqq X-Patchwork-Id: 69088 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 97F0127BBEA; Fri, 18 Oct 2024 14:23:00 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 02B4C27BBE2 for ; Fri, 18 Oct 2024 14:23:00 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1t1mwH-0004iW-64; Fri, 18 Oct 2024 09:22:45 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t1mwC-0004iF-SK for guix-patches@gnu.org; Fri, 18 Oct 2024 09:22:41 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1t1mwC-0006Cj-Jk for guix-patches@gnu.org; Fri, 18 Oct 2024 09:22:40 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:From:To:In-Reply-To:References:Subject; bh=aJS6ePBctSQfFzDVVb0z86SPhZ8QQtnsXQctvOJYoQ8=; b=rCgT4WzJUKKfIff+w6HZu7oxbZ8guE35dnQOMqyUT8OA8sUWFJTPbS854IieUivRve3Lhr7vRMV+qFbYyv1dFMg+ZN4G6WQmtvO+UW6G0eWmdFkr4kzfnHBy/I9hFqXZKcXgU1N3Ndl4GzDeWkEOTyd2uOFQuDB0sULRV/8dL12f9fUl6D9E10E2iKQLfEV9cMMnXpFDfde3HxfgEuuTWgqD3YXr3BygYJOh4bmzADOXD8YX9WJQ71lJW+nP5FMdIUoVok+FAOuWv5Oz+vfHElcjqVxt7AIh73jfe1C/T6UNUaqiHDzbPsmiHVajVZqvh10jLj+pWUJExROI5eF0RA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1t1mwY-0007YW-Lv for guix-patches@gnu.org; Fri, 18 Oct 2024 09:23:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#73767] [PATCH v2 1/2] gnu: system: Privilege programs after creating accounts. References: In-Reply-To: Resent-From: Dariqq Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 18 Oct 2024 13:23:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 73767 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 73767@debbugs.gnu.org Cc: Dariqq Received: via spool by 73767-submit@debbugs.gnu.org id=B73767.172925778029030 (code B ref 73767); Fri, 18 Oct 2024 13:23:02 +0000 Received: (at 73767) by debbugs.gnu.org; 18 Oct 2024 13:23:00 +0000 Received: from localhost ([127.0.0.1]:37544 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t1mwV-0007Y9-Rs for submit@debbugs.gnu.org; Fri, 18 Oct 2024 09:23:00 -0400 Received: from mout01.posteo.de ([185.67.36.65]:44059) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t1mwR-0007Xq-Pc for 73767@debbugs.gnu.org; Fri, 18 Oct 2024 09:22:58 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id E7106240027 for <73767@debbugs.gnu.org>; Fri, 18 Oct 2024 15:22:26 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1729257746; bh=Iv4qLop/AEjHNQ0EoaN0uECOQi9VZkw3Mndv/q5Z95Y=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version: Content-Transfer-Encoding:From; b=ekjky0kRs9B1yvCAsWbMLLZtIy1bAGU7L0qvSksDnvd57VUoxw6/mP0KWx1eR4XlE AOXyxeLEpaSYpK2kJr3dhtI1lgoZhtZVayDGqRp0PV0o+jfutbeRzGf1kWLDVYMcYo bBv5Lhv9TNgEVnqzAQyzaADpvB1c4OGuWOUm+Ut3zRrDq/c6kkudLId37O9UpqEBRe lN73xPh7dabqdm26T7wLtoisZj9GQZS4hOsafyR/1phgF4xVmSTZ5jrnT9SUra7uzY 0asKRl5JWeLyodikJmfU4s7na8FnVQQM4E2DDb99QAPcOuXrnv+ywVW4ieOhwT+yhM g9X1E1LH+JL5w== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4XVQNd4czXz9rxG; Fri, 18 Oct 2024 15:22:25 +0200 (CEST) From: Dariqq Date: Fri, 18 Oct 2024 13:21:22 +0000 Message-ID: <99be45a2fa553c2174a7062056ac7fced444ad5e.1729257683.git.dariqq@posteo.net> MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Ensure that users and groups are already created when the privileging script runs. The order these scripts appear in the folded activation-service depends on the order these services are instantiated in the operating-system. Fixes https://issues.guix.gnu.org/73680. * gnu/system.scm (operating-system-default-essential-services): Move privileged-program-service above account-service. (hurd-default-essential-services): Likewise. Change-Id: I662fb1eff42e4088496fccb76e0efbf2b1da096e --- gnu/system.scm | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) base-commit: 061e0acd596262420facef7c2d1fc9cc4327d75a diff --git a/gnu/system.scm b/gnu/system.scm index 44f93f91d1..c19730b331 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -809,6 +809,11 @@ (define (operating-system-default-essential-services os) %shepherd-root-service (pam-root-service (operating-system-pam-services os)) + ;; Make sure that privileged-programs activation script + ;; runs after accounts are created + (service privileged-program-service-type + (append (operating-system-privileged-programs os) + (operating-system-setuid-programs os))) (account-service (append (operating-system-accounts os) (operating-system-groups os)) (operating-system-skeletons os)) @@ -826,9 +831,6 @@ (define (operating-system-default-essential-services os) (operating-system-environment-variables os)) (service host-name-service-type host-name) procs root-fs - (service privileged-program-service-type - (append (operating-system-privileged-programs os) - (operating-system-setuid-programs os))) (service profile-service-type (operating-system-packages os)) boot-fs non-boot-fs @@ -850,6 +852,11 @@ (define (hurd-default-essential-services os) (service shepherd-root-service-type) (service user-processes-service-type) + ;; Make sure that privileged-programs activation script + ;; runs after accounts are created + (service privileged-program-service-type + (append (operating-system-privileged-programs os) + (operating-system-setuid-programs os))) (account-service (append (operating-system-accounts os) (operating-system-groups os)) (operating-system-skeletons os)) @@ -866,9 +873,6 @@ (define (hurd-default-essential-services os) (list `("hosts" ,hosts-file))) (service hosts-service-type (local-host-entries host-name))) - (service privileged-program-service-type - (append (operating-system-privileged-programs os) - (operating-system-setuid-programs os))) (service profile-service-type (operating-system-packages os))))) (define* (operating-system-services os) From patchwork Fri Oct 18 13:21:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Dariqq X-Patchwork-Id: 69089 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 6B7C627BBEA; Fri, 18 Oct 2024 14:23:55 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 6497127BBE2 for ; Fri, 18 Oct 2024 14:23:54 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1t1mxB-0004t6-EJ; Fri, 18 Oct 2024 09:23:41 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t1mxA-0004sq-BL for guix-patches@gnu.org; Fri, 18 Oct 2024 09:23:40 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1t1mxA-0006Kq-2a for guix-patches@gnu.org; Fri, 18 Oct 2024 09:23:40 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=1HeQSfeZxW4thqw9fR/hvOe9tc1mYiwaX+Hzwl5J+w0=; b=snbsIS30ekEqWw4f5uj71Og22TSUDEi7xX+OaNviAnPp0lslGhBQtJcnvywc5wOW1OYCR+yjZ/rfGXEBa+Xyb9tmEvoKUk7JOUiyxt8jCGGiNDtr2wBuA2j0srJLFIV34V2eAuirp0m/5jZ+iTqXgAGipT4E5QBXKFWjK2WyzMsiHsY0tbpCLuT8FgTVm4yTBWFL+wxpGYIujmFe8RdoOpgq8qnv9RegacXBoi2Z3HUHLkooueRsLFk761dKI1VK4y5DKLBI6Ng3+72mmkJMO3iskkMz+dC+CY4PLv4hYS/lLEE0svbKNPTOG/AVBXeq4q2SV96YSiZxAnvtHP81Pg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1t1mxW-0007aS-Bz for guix-patches@gnu.org; Fri, 18 Oct 2024 09:24:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#73767] [PATCH v2 2/2] tests: Add activation test. Resent-From: Dariqq Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 18 Oct 2024 13:24:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 73767 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 73767@debbugs.gnu.org Cc: Dariqq Received: via spool by 73767-submit@debbugs.gnu.org id=B73767.172925778329058 (code B ref 73767); Fri, 18 Oct 2024 13:24:02 +0000 Received: (at 73767) by debbugs.gnu.org; 18 Oct 2024 13:23:03 +0000 Received: from localhost ([127.0.0.1]:37547 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t1mwY-0007YT-8y for submit@debbugs.gnu.org; Fri, 18 Oct 2024 09:23:03 -0400 Received: from mout02.posteo.de ([185.67.36.66]:51713) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t1mwW-0007Xw-Nz for 73767@debbugs.gnu.org; Fri, 18 Oct 2024 09:23:01 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id CEC31240101 for <73767@debbugs.gnu.org>; Fri, 18 Oct 2024 15:22:31 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1729257751; bh=Hhci1Dv6O8y4kvsQ9eEuDbrzzlKbB7JE6mjY6mZm6vg=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type: Content-Transfer-Encoding:From; b=U+bAnEN+bQ4CNixRAeq1y73pJDZSpTu3NstrucsmyFL1MjekfN/lyGqDuiWaET1OE sFf1NFj7wAI3ARr8c/e6SFxYiYQ+sxti5J0m7CwGmW7l4BfOPv2RNmhshdsWA17vGi 0ufTzCtM+wEELce94gr4PjiuORpJ5jRRFf16T8XWN4goY7cG+oNmkhmxcbOP/A1vf7 19F+iagCtR/h38kcOgMIWBA1CFwLZrQ3nuEkv7hVeznLf93VDe3FOKBbS6cclrobsp maXduaU2MjrTQOJ42vdigQwU0p6n7uTTsSKcNOOcrofkpZjunvfoURBY0DXycPWP79 lNw8Uj4IqW+/Q== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4XVQNk6LHWz9rxP; Fri, 18 Oct 2024 15:22:30 +0200 (CEST) From: Dariqq Date: Fri, 18 Oct 2024 13:21:23 +0000 Message-ID: <9e16b82e73de5da03c2aa8763a970fbdd513a83d.1729257683.git.dariqq@posteo.net> In-Reply-To: <99be45a2fa553c2174a7062056ac7fced444ad5e.1729257683.git.dariqq@posteo.net> References: <99be45a2fa553c2174a7062056ac7fced444ad5e.1729257683.git.dariqq@posteo.net> MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Add a test to verify that accounts are available for activation scripts. * gnu/tests/base.scm (%activation-os): New variable. (run-activation-test): New procedure. (%test-activation): New variable. Change-Id: I59a191c5519475f256e81bdf2dc4cb01b96c31fe --- gnu/tests/base.scm | 121 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 120 insertions(+), 1 deletion(-) diff --git a/gnu/tests/base.scm b/gnu/tests/base.scm index e1a676ecd4..9430cbee12 100644 --- a/gnu/tests/base.scm +++ b/gnu/tests/base.scm @@ -3,6 +3,7 @@ ;;; Copyright © 2018 Clément Lassieur ;;; Copyright © 2022 Maxim Cournoyer ;;; Copyright © 2022 Marius Bakke +;;; Copyright © 2024 Dariqq ;;; ;;; This file is part of GNU Guix. ;;; @@ -24,6 +25,7 @@ (define-module (gnu tests base) #:use-module (gnu image) #:use-module (gnu system) #:autoload (gnu system image) (system-image) + #:use-module (gnu system privilege) #:use-module (gnu system shadow) #:use-module (gnu system nss) #:use-module (gnu system vm) @@ -60,7 +62,8 @@ (define-module (gnu tests base) %test-root-unmount %test-cleanup %test-mcron - %test-nss-mdns)) + %test-nss-mdns + %test-activation)) (define %simple-os (simple-operating-system)) @@ -1105,3 +1108,119 @@ (define %test-nss-mdns "Test Avahi's multicast-DNS implementation, and in particular, test its glibc name service switch (NSS) module.") (value (run-nss-mdns-test)))) + + +;;; +;;; Activation: Order of activation scripts +;;; Create accounts before running scripts using them + +(define %activation-os + ;; System with a new user/group, a setuid/setgid binary and an activation script + (let* ((%hello-accounts + (list (user-group (name "hello") (system? #t)) + (user-account + (name "hello") + (group "hello") + (system? #t) + (comment "") + (home-directory "/var/empty")))) + (%hello-privileged + (list + (privileged-program + (program (file-append hello "/bin/hello")) + (setuid? #t) + (setgid? #t) + (user "hello") + (group "hello")))) + (%hello-activation + (with-imported-modules (source-module-closure + '((gnu build activation))) + #~(begin + (use-modules (gnu build activation)) + + (let ((user (getpwnam "hello"))) + (mkdir-p/perms "/run/hello" user #o755))))) + + (hello-service-type + (service-type + (name 'hello) + (extensions + (list (service-extension account-service-type + (const %hello-accounts)) + (service-extension activation-service-type + (const %hello-activation)) + (service-extension privileged-program-service-type + (const %hello-privileged)))) + (default-value #f) + (description "")))) + + (operating-system + (inherit %simple-os) + (services + (cons* (service hello-service-type) + (operating-system-user-services + %simple-os)))))) + +(define (run-activation-test name) + (define os + (marionette-operating-system + %activation-os)) + + (define test + (with-imported-modules '((gnu build marionette)) + #~(begin + (use-modules (gnu build marionette) + (srfi srfi-64)) + + (define marionette + (make-marionette (list #$(virtual-machine os)))) + + (test-runner-current (system-test-runner #$output)) + (test-begin "activation") + + (test-assert "directory exists" + (marionette-eval + '(file-exists? "/run/hello") + marionette)) + + (test-assert "directory correct permissions and owner" + (marionette-eval + '(let ((dir (stat "/run/hello")) + (user (getpwnam "hello"))) + (and (eqv? (stat:uid dir) + (passwd:uid user)) + (eqv? (stat:gid dir) + (passwd:gid user)) + (= (stat:perms dir) + #o0755))) + marionette)) + + (test-assert "privileged-program exists" + (marionette-eval + '(file-exists? "/run/privileged/bin/hello") + marionette)) + + (test-assert "privileged-program correct permissions and owner" + (marionette-eval + '(let ((binary (stat "/run/privileged/bin/hello")) + (user (getpwnam "hello")) + (group (getgrnam "hello"))) + (and (eqv? (stat:uid binary) + (passwd:uid user)) + (eqv? (stat:gid binary) + (group:gid group)) + (= (stat:perms binary) + (+ #o0555 ;; base + #o4000 ;; setuid + #o2000)))) ;; setgid + marionette)) + + (test-end)))) + + (gexp->derivation name test)) + +(define %test-activation + (system-test + (name "activation") + (description "Test that activation scripts are run in the correct order") + (value (run-activation-test name))))