guix system roll-back doesn't roll setuid-programs back

Steps to reproduce:

1. Add a setuid program to your config:

(setuid-programs (cons*

(file-append hello "/bin/hello")

%setuid-programs))

2. guix system reconfigure

3. Observe that /run/setuid-programs/hello got created

4. Undo the configuration change

5. guix system reconfigure

6. Observe that /run/setuid-programs/hello no longer exists

7. guix system roll-back

Expected behavior:

/run/setuid-programs/hello appears again

Actual behavior:

/run/setuid-programs/hello still doesn't exist

Similarly, when roll-back is supposed to remove a file, it doesn't.

Previously mentioned in https://debbugs.gnu.org/38800.

Regards,

Jakub Kądziołka

owner 38884 !

owner 32054 !

thanks

severity 38884 important

quit

tags 38884 + security

quit

Hello Guix,

"setuid-programs-service" extend the activation script which isn't loaded when rolling-back.

A difference between "reconfigure" and "switch-generation" (of which "roll-back" is just an useful alias) is that the former load the activation script (guix scripts system reconfigure switch-system-program) after switching the profile's symlinks and before installing the bootloader while the latter install the bootloader (guix scripts system switch-to-system-generation) then switch the symlinks (guix profiles switch-to-generation). Fixing that could be done by loading the activation script after switching profiles, as "reconfigure" does.

I guess that loading the activation script again, on a already running running system, can have side effect but it shouldn't be an issue as it's already done by "reconfigure".

Cheers,

- Brice

close 38884

quit

Fixed in df138dc20858725b90ed77be85f3318cbe1be73a and later, see #46560.