services: opensmtpd: Fix the setgid problem for the smtpctl utility.

DoneSubmitted by maxim.cournoyer.
Details
5 participants
  • Brice Waegeneire
  • Jonathan Brielmaier
  • Christopher Baines
  • maxim.cournoyer
  • Tobias Geerinckx-Rice
Owner
unassigned
Severity
normal
M
M
maxim.cournoyer wrote on 8 Jun 2020 19:46
(name . guix-patches)(address . guix-patches@gnu.org)(name . Christopher Baines)(address . mail@cbaines.net)
87eeqpih6q.fsf@hurd.i-did-not-set--mail-host-address--so-tickle-me
Hello!
The following patches provide a mean to specify a user and group for asetuid program, and uses that to fix a setgid permission issue in thecontext of the opensmtpd service.
Christopher, you should be able to leverage this new facility toconfigure the uid/gid of the sendmail program to that of the smtpq user,like this:
Toggle snippet (6 lines)(operating-system) [...] (setuid-programs (cons (list (file-append sendmail "/usr/sbin/sendmail") "smtpq") %setuid-programs))
The smtpq user is created as part of the OpenSMTPD service definition.
Thank you,
From e1b8840da16fb531f6607892ebf08f2d5472b962 Mon Sep 17 00:00:00 2001From: Maxim Cournoyer <maxim.cournoyer@gmail.com>Date: Sun, 7 Jun 2020 23:01:49 -0400Subject: [PATCH 1/3] services: Allow configuring the ownership of setuid programs.
Fixes http://issues.guix.info/41485.
* gnu/build/activation.scm (activate-setuid-programs): Update doc. Allow aprogram entry to be a list that may include a user and a group.[make-setuid-program] New USER and GROUP keyword parameters. Move the errorhandling inside the MAKE-SETUID-PROGRAM helper procedure.* gnu/services.scm (setuid-program-service-type): Update doc.* doc/guix.texi (Setuid Programs): Update doc.--- doc/guix.texi | 17 +++++++++++--- gnu/build/activation.scm | 48 +++++++++++++++++++++++++--------------- gnu/services.scm | 17 ++++++++++++-- 3 files changed, 59 insertions(+), 23 deletions(-)
Toggle diff (149 lines)diff --git a/doc/guix.texi b/doc/guix.texiindex 056bf011f6..83d7344bd8 100644--- a/doc/guix.texi+++ b/doc/guix.texi@@ -26429,14 +26429,25 @@ should be setuid root. The @code{setuid-programs} field of an @code{operating-system} declaration contains a list of G-expressions denoting the names of-programs to be setuid-root (@pxref{Using the Configuration System}).-For instance, the @command{passwd} program, which is part of the Shadow-package, can be designated by this G-expression (@pxref{G-Expressions}):+programs to be setuid (@pxref{Using the Configuration System}). The+user and group ownership of the setuid program default to @code{root},+but can be specified by declaring them along the file name of the+program. For instance, the @command{passwd} program, which is part of+the Shadow package, can be designated as a setuid-root porgram by this+G-expression (@pxref{G-Expressions}): @example #~(string-append #$shadow "/bin/passwd") @end example +As a second example, the @command{smtpctl} program, which is part of the+OpenSMTPD package, requires to have its group set to @samp{smtpq}.+This can be specified using:++@example+(list (file-append opensmtpd "/bin/smtpctl") "smtpq" "smtpq")+@end example+ A default set of setuid programs is defined by the @code{%setuid-programs} variable of the @code{(gnu system)} module. diff --git a/gnu/build/activation.scm b/gnu/build/activation.scmindex 30f5e87d5a..6be3664d44 100644--- a/gnu/build/activation.scm+++ b/gnu/build/activation.scm@@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>+;;; Copyright © 2020 Maxim Cournoyer <maxim.cournoyer@gmail.com> ;;; ;;; This file is part of GNU Guix. ;;;@@ -227,14 +228,28 @@ they already exist." "/run/setuid-programs") (define (activate-setuid-programs programs)- "Turn PROGRAMS, a list of file names, into setuid programs stored under-%SETUID-DIRECTORY."- (define (make-setuid-program prog)+ "Turn PROGRAMS, a list of file names and/or of nested lists composed of a+file name, a user and a group, into setuid programs stored under+%SETUID-DIRECTORY. The user and group default to \"root\" and affect the+ownership of the associated file name."+ (define* (make-setuid-program prog #:key (user "root") (group user)) (let ((target (string-append %setuid-directory "/" (basename prog))))- (copy-file prog target)- (chown target 0 0)- (chmod target #o6555)))+ (catch 'system-error+ (lambda ()+ (let ((uid (passwd:uid (getpwnam user)))+ (gid (group:gid (getgrnam group))))+ (copy-file prog target)+ (chown target uid gid)+ (chmod target #o6555)))+ (lambda args+ ;; If we fail to create a setuid program, better keep going+ ;; so that we don't leave %SETUID-DIRECTORY empty or+ ;; half-populated. This can happen if PROGRAMS contains+ ;; incorrect file names: <https://bugs.gnu.org/38800>.+ (format (current-error-port)+ "warning: failed to make '~a' setuid (~a:~a): ~a~%"+ prog user group (strerror (system-error-errno args))))))) (format #t "setting up setuid programs in '~a'...~%" %setuid-directory)@@ -247,18 +262,15 @@ they already exist." string<?)) (mkdir-p %setuid-directory)) - (for-each (lambda (program)- (catch 'system-error- (lambda ()- (make-setuid-program program))- (lambda args- ;; If we fail to create a setuid program, better keep going- ;; so that we don't leave %SETUID-DIRECTORY empty or- ;; half-populated. This can happen if PROGRAMS contains- ;; incorrect file names: <https://bugs.gnu.org/38800>.- (format (current-error-port)- "warning: failed to make '~a' setuid-root: ~a~%"- program (strerror (system-error-errno args))))))+ (for-each (match-lambda+ ((program user group)+ (make-setuid-program program #:user user #:group group))+ ((program user)+ (make-setuid-program program #:user user))+ ((program)+ (make-setuid-program program))+ (program+ (make-setuid-program program))) programs)) (define (activate-special-files special-files)diff --git a/gnu/services.scm b/gnu/services.scmindex 2e4648bf78..19a1c38ceb 100644--- a/gnu/services.scm+++ b/gnu/services.scm@@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2016 Chris Marusich <cmmarusich@gmail.com>+;;; Copyright © 2020 Maxim Cournoyer <maxim.cournoyer@gmail.com> ;;; ;;; This file is part of GNU Guix. ;;;@@ -681,12 +682,24 @@ FILES must be a list of name/file-like object pairs." (list (service-extension activation-service-type (lambda (programs) #~(activate-setuid-programs- (list #$@programs))))))+ (quote (#$@programs))))))) (compose concatenate) (extend append) (description "Populate @file{/run/setuid-programs} with the specified-executables, making them setuid-root.")))+executables, making them setuid. The PROGRAMS entries extending the+setuid-program-service-type is a list of file-like objects. Alternatively to+file-like objects, nested lists containing a file-like object, a user and a+group can be used to control the ownership of the associated file.++Example:++(list (file-append shadow \"/bin/passwd\")+ (list (file-append opensmtpd \"/bin/smtpctl\") \"root\" \"smtpq\"))++The @command{passwd} program has both its user and group set to the+default \"root\" while the @command{smtpctl} program has its user set to+\"root\" and its group set to \"smtpq\"."))) (define (packages->profile-entry packages) "Return a system entry for the profile containing PACKAGES."-- 2.26.2
From 01c1ab83bf6f5a8158a993de2fa0048f6d172a73 Mon Sep 17 00:00:00 2001From: Maxim Cournoyer <maxim.cournoyer@gmail.com>Date: Sun, 7 Jun 2020 23:49:25 -0400Subject: [PATCH 2/3] services: opensmtpd: Remove unused binding.
* gnu/services/mail.scm (opensmtpd-activation): Remove unused SMTPD variablebinding.--- gnu/services/mail.scm | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-)
Toggle diff (30 lines)diff --git a/gnu/services/mail.scm b/gnu/services/mail.scmindex cfcaf4601b..7c49d99e9f 100644--- a/gnu/services/mail.scm+++ b/gnu/services/mail.scm@@ -1665,15 +1665,14 @@ match from local for any action outbound (define opensmtpd-activation (match-lambda (($ <opensmtpd-configuration> package config-file)- (let ((smtpd (file-append package "/sbin/smtpd")))- #~(begin- (use-modules (guix build utils))- ;; Create mbox and spool directories.- (mkdir-p "/var/mail")- (mkdir-p "/var/spool/smtpd")- (chmod "/var/spool/smtpd" #o711)- (mkdir-p "/var/spool/mail")- (chmod "/var/spool/mail" #o711))))))+ #~(begin+ (use-modules (guix build utils))+ ;; Create mbox and spool directories.+ (mkdir-p "/var/mail")+ (mkdir-p "/var/spool/smtpd")+ (chmod "/var/spool/smtpd" #o711)+ (mkdir-p "/var/spool/mail")+ (chmod "/var/spool/mail" #o711))))) (define %opensmtpd-pam-services (list (unix-pam-service "smtpd")))-- 2.26.2
From 52a1a031e6a7c0196cf17d0bd32061d02b453df8 Mon Sep 17 00:00:00 2001From: Maxim Cournoyer <maxim.cournoyer@gmail.com>Date: Sun, 7 Jun 2020 23:52:00 -0400Subject: [PATCH 3/3] services: opensmtpd: Fix the setgid problem for the smtpctl utility.
The utility was complaining that it wasn't setgid to the group ID of the"smtpq" group.
* gnu/services/mail.scm (opensmtpd-service-type): Extend thesetuid-program-service-type with the smtpctl program.--- gnu/services/mail.scm | 7 +++++++ 1 file changed, 7 insertions(+)
Toggle diff (27 lines)diff --git a/gnu/services/mail.scm b/gnu/services/mail.scmindex 7c49d99e9f..96efbd951d 100644--- a/gnu/services/mail.scm+++ b/gnu/services/mail.scm@@ -1662,6 +1662,11 @@ match from local for any action outbound (home-directory "/var/empty") (shell (file-append shadow "/sbin/nologin"))))) +(define (opensmtpd-setuid-programs opensmtpd-configuration)+ (let ((smtpctl (file-append (opensmtpd-configuration-package+ opensmtpd-configuration) "/sbin/smtpctl")))+ (list (list smtpctl "smtpq"))))+ (define opensmtpd-activation (match-lambda (($ <opensmtpd-configuration> package config-file)@@ -1683,6 +1688,8 @@ match from local for any action outbound (extensions (list (service-extension account-service-type (const %opensmtpd-accounts))+ (service-extension setuid-program-service-type+ opensmtpd-setuid-programs) (service-extension activation-service-type opensmtpd-activation) (service-extension pam-root-service-type-- 2.26.2
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEJ9WGpPiQCFQyn/CfEmDkZILmNWIFAl7eeX0ACgkQEmDkZILmNWJXDg/+JGbUaMn8GMdk4Ek1ZJSsZusQWvzXR+ie82wLZ51LtpuAmNmtFeYiODe7UYMVZGXTLhRqhwxdEoQUE6+i1H1Y3qj9D8nl6223/ZU63czuFb7JiQ6QmeU6KGaoUn/yVZyERznxeUUvqZQlH3oPLQglvc1K2w+zcAhdcCf2GJjJjkGoOrvI5hQ/sueh/E8GG71FqGPMT3MRaHc7G4T1GDAXFlHK9YmLwFzRLPnEAQMVlMidw8EgKd7g1ZWTtE+1iQbyrNpodDHUDTotWUtFxKmyFovm3ct3K3xFs3Ao6EwVZfJqNvNJlx7O6IiHNat8Z5H0zZ6MwCiEJToetZfNSG+rRX0jpGwDRDBx6hwXxCEslHUGbyBGyZlQQujiPYYpqWzQYAzpv8ijnsIYYFoowopABGfvZlWTtXBgLyNETgli1pQTxT5H/a8Tkm7tySDI9+2nPnJilirnTUFynspUWL0oYzJExi5ZLnt1yNU9mwmFTKecM2mx5q6wjXBYerTN+2JwfW7X2Nrb8JNJKHoDBUJpGmj8lvIZoTcB4B46vkDzCcC497fpFaGAuh3fkO6TC+NABNncXRGTsaf5rIS7HwIFBZkfmrNTaEX4AwFzzo8D7RZ3q8kW/m9LgEzRzvyW3CVQBoKiqyoPoxTum0Bsw7FG8YrhWoj7ECdQwzHY7qj5OJs==FFdP-----END PGP SIGNATURE-----
C
C
Christopher Baines wrote on 11 Jun 2020 21:20
(address . maxim.cournoyer@gmail.com)(address . 41763@debbugs.gnu.org)
87v9jx8l5l.fsf@cbaines.net
maxim.cournoyer@gmail.com writes:
Toggle quote (22 lines)> The following patches provide a mean to specify a user and group for a> setuid program, and uses that to fix a setgid permission issue in the> context of the opensmtpd service.>> Christopher, you should be able to leverage this new facility to> configure the uid/gid of the sendmail program to that of the smtpq user,> like this:>> --8<---------------cut here---------------start------------->8---> (operating-system)> [...]> (setuid-programs (cons (list (file-append sendmail "/usr/sbin/sendmail") "smtpq")> %setuid-programs))> --8<---------------cut here---------------end--------------->8--->> The smtpq user is created as part of the OpenSMTPD service definition.>> Thank you,>>> Maxim
Well, thank you for looking in to this Maxim. I've had a brief lookthrough the patches, although I don't know enough about this area tocomment properly on them.
I wonder if it's worth using a record type to make it possible to passthe user and group values to the service. That would probably result inmore readable configuration than just using a list of varying length.
Specifically on the diff:
- (list #$@programs))))))+ (quote (#$@programs)))))))
This change here will mean that you can't pass some values in, as theywon't be evaluated. #~(string-append sendmail "/usr/sbin/sendmail")would no longer work for example.
Thanks again,
Chris
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEPonu50WOcg2XVOCyXiijOwuE9XcFAl7ig+ZfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNFODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcACgkQXiijOwuE9XfQ5w//TdCjyIV7Il7qPxVxVkms4DPVxiCBM7owp8+Pd7alvSs1RucW/ItAJFGJcqiOpK52A9TOQ6Nn5RgWvKR9F4LVQ/kg8kLEWsTtjAetoQU5fv5MnraN8q7JkeejPZtFj1h5HoBbVVxPSNcMVsX/l2WwrLZ0GzdNDYTH5PPovlMFSL1Vr1CEe8mvDAnLLJ8znjXz149b9DS+aqWx+SOFyR3e+6cNdyfVIe0tFlum+QjIUXt+9iCr1RVc2WJBQKPPCabnzyVuSz8p7pQHoUlxgO+9hDmoZKPVeZQ4NuzBLqZ4Jqzyc+2ydg8nKcBJ58GcTmZUrd/QmSpzZpJWw6ljhhY0iapGeVKI+x+sHrXIepVLw3Vh50exOCvSYMitHBJ7C4qRFmQZ/I+9CuyHHdCJGWftre0s0nQf8jaEkRoFeuI2uOqQKP3O2TsQKlRNj1wZy8zRxT1XIITtyl8r7s3/LANUCj6PSXvOrKAeWuBT8CuHxXjekywuIHw1fU2XXp8SVuC8hVsoFisR6N+zJrg7EkPolyQsjw5a3TIxW1/aVuMXvro8ptVsika6bExJj/vGYHT7jtmdQoKNNTPfkPYyvPnSAFjUx/V273uaH1Z802Bm398qqwVEwr8V9Qf49JOCiJ48svqO5zrrjJuoajLjo7/v/X1bdUNL8C0qg5B8YweeEY8==5aP7-----END PGP SIGNATURE-----
B
B
Brice Waegeneire wrote on 15 Jun 2020 17:12
Re: [bug#41763] services: opensmtpd: Fix the setgid problem for the smtpctl utility.
(address . maxim.cournoyer@gmail.com)
87d060747r.fsf@waegenei.re
Hello Maxim,
Thank you for the patchset!
maxim.cournoyer@gmail.com writes:
Toggle quote (4 lines)> The following patches provide a mean to specify a user and group for a> setuid program, and uses that to fix a setgid permission issue in the> context of the opensmtpd service.
I applied it to try to use wireshark as non-root[0]:
Toggle snippet (7 lines)(simple-service 'wireshark-group account-service-type (list (user-group (name "wireshark") (system? #t))))(simple-service 'wireshark-dumpcap setuid-program-service-type (list (list (file-append wireshark "/bin/dumpcap") "root" "wireshark")))
And unfortunately the first run of “guix reconfigure“ failed to make“dumpcap“ as a setuid, but subsequent run succeeded:
Toggle snippet (7 lines)[…]setting up setuid programs in '/run/setuid-programs'...warning: failed to make '/gnu/store/vdlk9rli5k5svy8p7bhf90ln03ybnxgj-wireshark-3.2.4/bin/dumpcap' setuid (root:wireshark): Successpopulating /etc from /gnu/store/hxjyvg80zjaxfynjyk3jgqsn9249azmx-etc...[…]
I guess it's because at first there wasn't a wireshark group on mysystem, adding the group and the setuid program was done in the samerun, but “setting up setuid programs” is done before “populating /etc”(comprising /etc/passwd) which in effect ended up trying to setuid“dumpcap“ before the “wireshark“ group exists. And subsequent runssucceeded creating a setuid “dumpcap” because the new group was alreadyon the system, it was created during the first run.
Populating /etc before setting up /run/setuid-programs should fix thatissue but maybe there is reason behind the current order of execution.
Toggle quote (10 lines)> Christopher, you should be able to leverage this new facility to> configure the uid/gid of the sendmail program to that of the smtpq user,> like this:>> (operating-system)> [...]> (setuid-programs (cons (list (file-append sendmail "/usr/sbin/sendmail") "smtpq")> %setuid-programs))>
Aside from that I wonder if specifying user and group in a list isfuture proof, maybe using a record would be more Guixy. In particular Iwould like to be able to set capabilities (as with “setcap“) on binariessince the store don't support it[1]; if that's even possible but it's another issue.
[0]: https://wiki.wireshark.org/CaptureSetup/CapturePrivileges#Most_UNIXes[1]: https://lists.gnu.org/archive/html/help-guix/2016-11/msg00046.html
- Brice
B
B
Brice Waegeneire wrote on 5 Jul 2020 13:47
Block #41874
(address . control@debbugs.gnu.org)
9667f027e8609b9f83d0d2a6773bb8de@waegenei.re
block 41874 with 41763
J
J
Jonathan Brielmaier wrote on 3 Jan 15:14 +0100
services: opensmtpd: Fix the setgid problem for the smtpctl utility.
(address . 41763@debbugs.gnu.org)
5aa8fff2-b4e6-8cba-e396-cd5c7a144fbc@web.de
It's http://issues.guix.gnu.org/41763.
What does us block from merging this? It hits me hard when using OpenSMTPD.
T
T
Tobias Geerinckx-Rice wrote on 3 Jan 15:49 +0100
(address . 41763@debbugs.gnu.org)
87lfda5b3e.fsf@nckx
Jonathan Brielmaier 写道:
Toggle quote (2 lines)> What does us block from merging this?
Reading [0], Chris & Brice bring up two good points that I don't see addressed: using a record instead of a list & not breaking gexps, although fixing one would probably moot the other.
Kind regards,
T G-R
[0]: http://issues.guix.gnu.org/41763
-----BEGIN PGP SIGNATURE-----
iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCX/HZlQ0cbWVAdG9iaWFzLmdyAAoJEA2w/4hPVW15NHIBAKrJR1+Baz9JB8K2wvHNLBnwHH1XIuMG//rWiOZa3OuVAP9CsnxR5Ta1t19pyjXrdhMzidBhPea8LdaoaNB5SF+PAA===LZhz-----END PGP SIGNATURE-----
M
M
Maxim Cournoyer wrote on 16 Jul 06:24 +0200
Re: bug#41763: services: opensmtpd: Fix the setgid problem for the smtpctl utility.
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)
874kcunawx.fsf_-_@gmail.com
Hello,
Tobias Geerinckx-Rice <me@tobias.gr> writes:
Toggle quote (13 lines)> Jonathan Brielmaier 写道:>> What does us block from merging this?>> Reading [0], Chris & Brice bring up two good points that I don't see> addressed: using a record instead of a list & not breaking gexps,> although fixing one would probably moot the other.>> Kind regards,>> T G-R>> [0]: http://issues.guix.gnu.org/41763
Closing in favor of https://issues.guix.gnu.org/44700.
Thanks,
Maxim
Closed
T
T
Tobias Geerinckx-Rice wrote on 16 Jul 07:37 +0200
(address . 41763@debbugs.gnu.org)
e7296590fd5ed6676150904fe2a297ab@tobias.gr
Toggle quote (2 lines)> Closing in favor of https://issues.guix.gnu.org/44700.
Yes please. Thanks.
T G-R
Sent from a Web browser. Excuse or enjoy my brevity.
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send email to 41763@debbugs.gnu.org