guix system roll-back doesn't roll setuid-programs back

  • Done
  • quality assurance status badge
Details
4 participants
  • Brice Waegeneire
  • Brice Waegeneire via web
  • Jakub K?dzio?ka
  • Ludovic Courtès
Owner
Somebody
Submitted by
Jakub K?dzio?ka
Severity
important
J
J
Jakub K?dzio?ka wrote on 3 Jan 2020 01:48
(address . bug-guix@gnu.org)
20200103004803.7xmz2dfz6hvs5oak@zdrowyportier.kadziolka.net
Steps to reproduce:

1. Add a setuid program to your config:

(setuid-programs (cons*
(file-append hello "/bin/hello")
%setuid-programs))

2. guix system reconfigure
3. Observe that /run/setuid-programs/hello got created
4. Undo the configuration change
5. guix system reconfigure
6. Observe that /run/setuid-programs/hello no longer exists
7. guix system roll-back

Expected behavior:
/run/setuid-programs/hello appears again

Actual behavior:
/run/setuid-programs/hello still doesn't exist

Similarly, when roll-back is supposed to remove a file, it doesn't.

Previously mentioned in https://debbugs.gnu.org/38800.

Regards,
Jakub K?dzio?ka
J
J
Jakub K?dzio?ka wrote on 14 Jan 2020 01:02
Assigning bugs I will soon send patches for to myself (where soon = a few days)
(address . control@debbugs.gnu.org)
20200114000245.4q7mv7y6mqgpbxz4@zdrowyportier.kadziolka.net
owner 38884 !
owner 32054 !
thanks
L
L
Ludovic Courtès wrote on 29 Jun 2020 22:07
control message for bug #38884
(address . control@debbugs.gnu.org)
877dvpbpq9.fsf@gnu.org
severity 38884 important
quit
L
L
Ludovic Courtès wrote on 29 Jun 2020 22:07
(address . control@debbugs.gnu.org)
875zb9bpq4.fsf@gnu.org
tags 38884 + security
quit
B
B
Brice Waegeneire via web wrote on 20 Sep 2020 22:43
guix system roll-back doesn't roll setuid-programs back
(address . 38884@debbugs.gnu.org)
7f8ff855af90.4ca1a3edb126540@guile.gnu.org
Hello Guix,

"setuid-programs-service" extend the activation script which isn't loaded when rolling-back.

A difference between "reconfigure" and "switch-generation" (of which "roll-back" is just an useful alias) is that the former load the activation script (guix scripts system reconfigure switch-system-program) after switching the profile's symlinks and before installing the bootloader while the latter install the bootloader (guix scripts system switch-to-system-generation) then switch the symlinks (guix profiles switch-to-generation). Fixing that could be done by loading the activation script after switching profiles, as "reconfigure" does.
I guess that loading the activation script again, on a already running running system, can have side effect but it shouldn't be an issue as it's already done by "reconfigure".

Cheers,
- Brice
B
B
Brice Waegeneire wrote on 9 Mar 2021 07:17
control message for bug #38884
(address . control@debbugs.gnu.org)
87im60zw9a.fsf@waegenei.re
close 38884
quit

Fixed in df138dc20858725b90ed77be85f3318cbe1be73a and later, see #46560.
?