guix system roll-back doesn't roll setuid-programs back

  • Done
  • quality assurance status badge
Details
4 participants
  • Brice Waegeneire
  • Brice Waegeneire via web
  • Jakub K?dzio?ka
  • Ludovic Courtès
Owner
Somebody
Submitted by
Jakub K?dzio?ka
Severity
important
J
J
Jakub K?dzio?ka wrote on 3 Jan 2020 01:48
(address . bug-guix@gnu.org)
20200103004803.7xmz2dfz6hvs5oak@zdrowyportier.kadziolka.net
Steps to reproduce:

1. Add a setuid program to your config:

(setuid-programs (cons*
(file-append hello "/bin/hello")
%setuid-programs))

2. guix system reconfigure
3. Observe that /run/setuid-programs/hello got created
4. Undo the configuration change
5. guix system reconfigure
6. Observe that /run/setuid-programs/hello no longer exists
7. guix system roll-back

Expected behavior:
/run/setuid-programs/hello appears again

Actual behavior:
/run/setuid-programs/hello still doesn't exist

Similarly, when roll-back is supposed to remove a file, it doesn't.

Previously mentioned in https://debbugs.gnu.org/38800.

Regards,
Jakub K?dzio?ka
J
J
Jakub K?dzio?ka wrote on 14 Jan 2020 01:02
Assigning bugs I will soon send patches for to myself (where soon = a few days)
(address . control@debbugs.gnu.org)
20200114000245.4q7mv7y6mqgpbxz4@zdrowyportier.kadziolka.net
owner 38884 !
owner 32054 !
thanks
L
L
Ludovic Courtès wrote on 29 Jun 2020 22:07
control message for bug #38884
(address . control@debbugs.gnu.org)
877dvpbpq9.fsf@gnu.org
severity 38884 important
quit
L
L
Ludovic Courtès wrote on 29 Jun 2020 22:07
(address . control@debbugs.gnu.org)
875zb9bpq4.fsf@gnu.org
tags 38884 + security
quit
B
B
Brice Waegeneire via web wrote on 20 Sep 2020 22:43
guix system roll-back doesn't roll setuid-programs back
(address . 38884@debbugs.gnu.org)
7f8ff855af90.4ca1a3edb126540@guile.gnu.org
Hello Guix,

"setuid-programs-service" extend the activation script which isn't loaded when rolling-back.

A difference between "reconfigure" and "switch-generation" (of which "roll-back" is just an useful alias) is that the former load the activation script (guix scripts system reconfigure switch-system-program) after switching the profile's symlinks and before installing the bootloader while the latter install the bootloader (guix scripts system switch-to-system-generation) then switch the symlinks (guix profiles switch-to-generation). Fixing that could be done by loading the activation script after switching profiles, as "reconfigure" does.
I guess that loading the activation script again, on a already running running system, can have side effect but it shouldn't be an issue as it's already done by "reconfigure".

Cheers,
- Brice
B
B
Brice Waegeneire wrote on 9 Mar 2021 07:17
control message for bug #38884
(address . control@debbugs.gnu.org)
87im60zw9a.fsf@waegenei.re
close 38884
quit

Fixed in df138dc20858725b90ed77be85f3318cbe1be73a and later, see #46560.
?
Your comment

This issue is archived.

To comment on this conversation send an email to 38884@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 38884
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch