From patchwork Mon Jun 15 16:23:28 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Brice Waegeneire X-Patchwork-Id: 22734 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 337A727BBE3; Mon, 15 Jun 2020 17:24:08 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL autolearn=unavailable autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTP id 0720D27BBE1 for ; Mon, 15 Jun 2020 17:24:08 +0100 (BST) Received: from localhost ([::1]:55072 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jkru3-0003DM-Jd for patchwork@mira.cbaines.net; Mon, 15 Jun 2020 12:24:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:54806) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jkrty-0003D7-SR for guix-patches@gnu.org; Mon, 15 Jun 2020 12:24:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:35730) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jkrty-0005WH-J4 for guix-patches@gnu.org; Mon, 15 Jun 2020 12:24:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jkrty-0000or-Dh for guix-patches@gnu.org; Mon, 15 Jun 2020 12:24:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#41875] [PATCH] system: Add 'sg' and 'newgrp' to %SETUID-PROGRAMS. Resent-From: Brice Waegeneire Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 15 Jun 2020 16:24:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 41875 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 41875@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.15922382173115 (code B ref -1); Mon, 15 Jun 2020 16:24:02 +0000 Received: (at submit) by debbugs.gnu.org; 15 Jun 2020 16:23:37 +0000 Received: from localhost ([127.0.0.1]:47276 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jkrtY-0000oA-Ow for submit@debbugs.gnu.org; Mon, 15 Jun 2020 12:23:36 -0400 Received: from lists.gnu.org ([209.51.188.17]:57158) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jkrtX-0000ny-9F for submit@debbugs.gnu.org; Mon, 15 Jun 2020 12:23:35 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:54612) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jkrtX-00035y-3x for guix-patches@gnu.org; Mon, 15 Jun 2020 12:23:35 -0400 Received: from relay12.mail.gandi.net ([217.70.178.232]:43881) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jkrtV-0005Si-I2 for guix-patches@gnu.org; Mon, 15 Jun 2020 12:23:34 -0400 Received: from localhost (luy13-1-78-237-113-178.fbx.proxad.net [78.237.113.178]) (Authenticated sender: brice@waegenei.re) by relay12.mail.gandi.net (Postfix) with ESMTPSA id A715A200006 for ; Mon, 15 Jun 2020 16:23:31 +0000 (UTC) From: Brice Waegeneire Date: Mon, 15 Jun 2020 18:23:28 +0200 Message-Id: <20200615162328.25429-1-brice@waegenei.re> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Received-SPF: pass client-ip=217.70.178.232; envelope-from=brice@waegenei.re; helo=relay12.mail.gandi.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/06/15 12:18:57 X-ACL-Warn: Detected OS = Linux 3.11 and newer X-Spam_score_int: -25 X-Spam_score: -2.6 X-Spam_bar: -- X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches * gnu/system.scm (%setuid-programs): Add 'sg' and 'newgrp'. --- Without it 'newgrp' is unusable: --8<---------------cut here---------------start------------->8--- $ whoami bricewge $ cat /etc/group | grep wireshark wireshark:x:970:bricewge $ groups users libvirt adbusers plugdev kvm lp netdev audio video input dialout wheel $ newgrp wireshark setgroups: Operation not permitted setgid: Operation not permitted --8<---------------cut here---------------end--------------->8--- I also added 'sg' since, in the shadow package, it's a symlink to 'newgrp'. gnu/system.scm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/gnu/system.scm b/gnu/system.scm index 06bbc9e9c8..3e3d1927c2 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -932,7 +932,9 @@ use 'plain-file' instead~%") ;; Default set of setuid-root programs. (let ((shadow (@ (gnu packages admin) shadow))) (list (file-append shadow "/bin/passwd") + (file-append shadow "/bin/sg") (file-append shadow "/bin/su") + (file-append shadow "/bin/newgrp") (file-append shadow "/bin/newuidmap") (file-append shadow "/bin/newgidmap") (file-append inetutils "/bin/ping")