guix system roll-back doesn't roll setuid-programs back

Done

Details

4 participants

Brice Waegeneire
Brice Waegeneire via web
Jakub Kądziołka
Ludovic Courtès

Owner: Somebody

Submitted by: Jakub Kądziołka

Severity: important

Jakub Kądziołka wrote on 3 Jan 2020 01:48

Recipients:(address . bug-guix@gnu.org)

Message-ID:20200103004803.7xmz2dfz6hvs5oak@zdrowyportier.kadziolka.net

Steps to reproduce:

1. Add a setuid program to your config:

(setuid-programs (cons*

(file-append hello "/bin/hello")

%setuid-programs))

2. guix system reconfigure

3. Observe that /run/setuid-programs/hello got created

4. Undo the configuration change

5. guix system reconfigure

6. Observe that /run/setuid-programs/hello no longer exists

7. guix system roll-back

Expected behavior:

/run/setuid-programs/hello appears again

Actual behavior:

/run/setuid-programs/hello still doesn't exist

Similarly, when roll-back is supposed to remove a file, it doesn't.

Previously mentioned in https://debbugs.gnu.org/38800.

Regards,

Jakub Kądziołka

Jakub Kądziołka wrote on 14 Jan 2020 01:02

Assigning bugs I will soon send patches for to myself (where soon = a few days)

Recipients:(address . control@debbugs.gnu.org)

Message-ID:20200114000245.4q7mv7y6mqgpbxz4@zdrowyportier.kadziolka.net

owner 38884 !
owner 32054 !
thanks

Ludovic Courtès wrote on 29 Jun 2020 22:07

control message for bug #38884

Recipients:(address . control@debbugs.gnu.org)

Message-ID:877dvpbpq9.fsf@gnu.org

severity 38884 important

quit

Ludovic Courtès wrote on 29 Jun 2020 22:07

Recipients:(address . control@debbugs.gnu.org)

Message-ID:875zb9bpq4.fsf@gnu.org

tags 38884 + security

quit

Brice Waegeneire via web wrote on 20 Sep 2020 22:43

guix system roll-back doesn't roll setuid-programs back

Recipients:(address . 38884@debbugs.gnu.org)

Message-ID:7f8ff855af90.4ca1a3edb126540@guile.gnu.org

Hello Guix,

"setuid-programs-service" extend the activation script which isn't loaded when rolling-back.

A difference between "reconfigure" and "switch-generation" (of which "roll-back" is just an useful alias) is that the former load the activation script (guix scripts system reconfigure switch-system-program) after switching the profile's symlinks and before installing the bootloader while the latter install the bootloader (guix scripts system switch-to-system-generation) then switch the symlinks (guix profiles switch-to-generation). Fixing that could be done by loading the activation script after switching profiles, as "reconfigure" does.

I guess that loading the activation script again, on a already running running system, can have side effect but it shouldn't be an issue as it's already done by "reconfigure".

Cheers,

- Brice

Brice Waegeneire wrote on 9 Mar 2021 07:17

control message for bug #38884

Recipients:(address . control@debbugs.gnu.org)

Message-ID:87im60zw9a.fsf@waegenei.re

close 38884

quit

Fixed in df138dc20858725b90ed77be85f3318cbe1be73a and later, see #46560.

Your comment

This issue is archived.

To comment on this conversation send an email to 38884@debbugs.gnu.org

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date