gnu: udevil: Fix loading of setuid-programs.

DoneSubmitted by Raghav Gururajan.
Details
2 participants
  • Danny Milosavljevic
  • Raghav Gururajan
Owner
unassigned
Severity
normal
R
R
Raghav Gururajan wrote on 28 Apr 2020 08:52
(address . guix-patches@gnu.org)
20200428025228.09935bde.raghavgururajan@disroot.org
From de62f6773a75bffff632f70fa3062b3668462543 Mon Sep 17 00:00:00 2001From: Raghav Gururajan <raghavgururajan@disroot.org>Date: Tue, 28 Apr 2020 02:29:36 -0400Subject: [PATCH] gnu: udevil: Fix loading of setuid-programs.
* gnu/packages/disk.scm (udevil): Fix loading of setuid-programs.
[1] Patched references to mount, umount, losetup and setfacl; as udevilexpects these programs to have uid set as root.[2] Patched references to udevil; as udevil itself and devmon expectsudevil to have uid set as root.--- gnu/packages/disk.scm | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-)
Toggle diff (45 lines)diff --git a/gnu/packages/disk.scm b/gnu/packages/disk.scmindex b7d3b9d954..2b9ba8e38d 100644--- a/gnu/packages/disk.scm+++ b/gnu/packages/disk.scm@@ -103,16 +103,34 @@ (build-system gnu-build-system) (arguments `(#:configure-flags- (list "--disable-systemd"- (string-append "--sysconfdir="- (assoc-ref %outputs "out")- "/etc"))+ (list+ "--disable-systemd"+ (string-append "--sysconfdir="+ (assoc-ref %outputs "out")+ "/etc")+ ;; udevil expects these programs to be run with uid set as root.+ ;; user has to manually add these programs to setuid-programs.+ ;; mount and umount are default setuid-programs in guix system.+ "--with-mount-prog=/run/setuid-programs/mount"+ "--with-umount-prog=/run/setuid-programs/umount"+ "--with-losetup-prog=/run/setuid-programs/losetup"+ "--with-setfacl-prog=/run/setuid-programs/setfacl") #:phases (modify-phases %standard-phases (add-after 'unpack 'remove-root-reference (lambda _ (substitute* "src/Makefile.in" (("-o root -g root") ""))+ #t))+ (add-after 'unpack 'patch-udevil-reference+ ;; udevil expects itself to be run with uid set as root.+ ;; devmon also expects udevil to be run with uid set as root.+ ;; user has to manually add udevil to setuid-programs.+ (lambda _+ (substitute* "src/udevil.c"+ (("/usr/bin/udevil") "/run/setuid-programs/udevil"))+ (substitute* "src/devmon"+ (("`which udevil 2>/dev/null`") "/run/setuid-programs/udevil")) #t))))) (native-inputs `(("intltool" ,intltool)-- 2.26.2
D
D
Danny Milosavljevic wrote on 1 May 2020 14:24
(name . Raghav Gururajan)(address . raghavgururajan@disroot.org)(address . 40922@debbugs.gnu.org)
20200501142405.75821fbb@scratchpost.org
Hi Raghav,
On Tue, 28 Apr 2020 02:52:28 -0400Raghav Gururajan <raghavgururajan@disroot.org> wrote:
Toggle quote (5 lines)> [1] Patched references to mount, umount, losetup and setfacl; as udevil> expects these programs to have uid set as root.> [2] Patched references to udevil; as udevil itself and devmon expects> udevil to have uid set as root.
Why are both needed at the same time? If udevil is setuid root, then theother tools are invoked as root anyway, right? Or does udevil drop rootprivileges? (short look into src/udevil.c suggests yes)
Is there a description from upstream how all that is supposed to work?
Remainder OK.
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEds7GsXJ0tGXALbPZ5xo1VCwwuqUFAl6sFOUACgkQ5xo1VCwwuqV62Qf9EZr93902BNUtMkbZOwkfbDqzEZePsaKpFS36/s80NzPSlQz61Gv/Nuy6eaf73ociQg6vWhxnOSGgGN2KUGeqBBSps4SW+ZlT35HLsKnTYV+eR9AYvXsyZbqa8cqZ+Mx/TyuRF7jznEttmbPdziP+OWiDIRulg0GokW4Brob/WT8ZzHRGk5fNQVOKfffrQrNxCm0uOoioOgKtKKZ/rznlyTZjqfTaW2LwfKOEIMI4RtBgc96CuJenCy+e1Idl+CByl5tm3wDoYdK2fSNj8HUjy2NWxFquKclcSgVmH1HW3LWwTvyA//96Q7afxOhp+FuvFNxCHa5LBsDjhf3mA7YG7Q===/LPD-----END PGP SIGNATURE-----

R
R
Raghav Gururajan wrote on 1 May 2020 16:05
(name . Danny Milosavljevic)(address . dannym@scratchpost.org)(address . 40922@debbugs.gnu.org)
20200501100506.174e5fa1.raghavgururajan@disroot.org
Hi Danny!
Toggle quote (4 lines)> Why are both needed at the same time? If udevil is setuid root, then the> other tools are invoked as root anyway, right? Or does udevil drop root> privileges? (short look into src/udevil.c suggests yes)
Yes, both are needed at same time. I tried them alternatively, did not work.As you mentioned, it drops previleges (file:src/udevil.c ; line:5061).
Toggle quote (2 lines)> Is there a description from upstream how all that is supposed to work?
There is some description in "Set SUID" section of README file(https://github.com/IgnorantGuru/udevil/blob/master/README).
Toggle quote (2 lines)> Remainder OK.
Thanks!
Regards,RG.
D
D
Danny Milosavljevic wrote on 1 May 2020 16:38
(name . Raghav Gururajan)(address . raghavgururajan@disroot.org)(address . 40922-done@debbugs.gnu.org)
20200501163838.68e6ba19@scratchpost.org
Pushed to guix master as commit 8546f4da5b3677001dbda6b3a116f5bdc44ea5c0.
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEds7GsXJ0tGXALbPZ5xo1VCwwuqUFAl6sNG4ACgkQ5xo1VCwwuqXb/gf+LJtNgP+NvSzMl1hMBozWJOs6QDUTNQIqAqt/s9TsCGbTFFH1r7a4tulh3U1cN4oXVw51xWgxL6cMrkG9Qv00gfZXB1bxsa+W6PjjKkeogEbBrcr+umO7UhkFAiQY7l50wuCuYAJe2L5I/FLJki+U7hnC8gMd065AXKOtx2d8Ct3CP1wwF48GyXQ9y2B6ohTWYIi6ymLsZGZFrkvCXmSAW1odLZcDjbw4z4GqMhxuVCIW1cN2SYyp5zSr/4xhmAIP3LeP1uiWkdJlCyX5hAItY3dUxoAv+qg7ksDnatPtenMWS9BMmJ/5uLAPtJ6ZY+drEnRlMDIUekhFvC2rDWOBsw===woS0-----END PGP SIGNATURE-----

Closed
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send email to 40922@debbugs.gnu.org