On GuixSD, ‘activate-setuid-programs’ in (gnu build activation) would create setuid-root binaries under /gnu/store for all the programs listed under ‘setuid-programs’ in the ‘operating-system’ declaration. ‘activate-setuid-programs’ in (gnu build activation) does this: (define (make-setuid-program prog) (let ((target (string-append %setuid-directory "/" (basename prog)))) (link-or-copy prog target) (chown target 0 0) (chmod target #o6555))) which amounts to: 1. ln /gnu/store/…/bin/su /run/setuid-programs/su 2. chmod +s /run/setuid-programs/su meaning that *both* ‘su’ files become setuid root. This leads to setuid-root files in the store, which is a violation of a fundamental assumption that setuid files cannot exist in the store. Detailed announcement and fix coming. Ludo’.