gnu: udevil: Fix loading of setuid-programs.

  • Done
  • quality assurance status badge
Details
2 participants
  • Danny Milosavljevic
  • Raghav Gururajan
Owner
unassigned
Submitted by
Raghav Gururajan
Severity
normal
R
R
Raghav Gururajan wrote on 28 Apr 2020 08:52
(address . guix-patches@gnu.org)
20200428025228.09935bde.raghavgururajan@disroot.org

From de62f6773a75bffff632f70fa3062b3668462543 Mon Sep 17 00:00:00 2001
From: Raghav Gururajan <raghavgururajan@disroot.org>
Date: Tue, 28 Apr 2020 02:29:36 -0400
Subject: [PATCH] gnu: udevil: Fix loading of setuid-programs.

* gnu/packages/disk.scm (udevil): Fix loading of setuid-programs.

[1] Patched references to mount, umount, losetup and setfacl; as udevil
expects these programs to have uid set as root.
[2] Patched references to udevil; as udevil itself and devmon expects
udevil to have uid set as root.
---
gnu/packages/disk.scm | 26 ++++++++++++++++++++++----
1 file changed, 22 insertions(+), 4 deletions(-)

Toggle diff (45 lines)
diff --git a/gnu/packages/disk.scm b/gnu/packages/disk.scm
index b7d3b9d954..2b9ba8e38d 100644
--- a/gnu/packages/disk.scm
+++ b/gnu/packages/disk.scm
@@ -103,16 +103,34 @@
(build-system gnu-build-system)
(arguments
`(#:configure-flags
- (list "--disable-systemd"
- (string-append "--sysconfdir="
- (assoc-ref %outputs "out")
- "/etc"))
+ (list
+ "--disable-systemd"
+ (string-append "--sysconfdir="
+ (assoc-ref %outputs "out")
+ "/etc")
+ ;; udevil expects these programs to be run with uid set as root.
+ ;; user has to manually add these programs to setuid-programs.
+ ;; mount and umount are default setuid-programs in guix system.
+ "--with-mount-prog=/run/setuid-programs/mount"
+ "--with-umount-prog=/run/setuid-programs/umount"
+ "--with-losetup-prog=/run/setuid-programs/losetup"
+ "--with-setfacl-prog=/run/setuid-programs/setfacl")
#:phases
(modify-phases %standard-phases
(add-after 'unpack 'remove-root-reference
(lambda _
(substitute* "src/Makefile.in"
(("-o root -g root") ""))
+ #t))
+ (add-after 'unpack 'patch-udevil-reference
+ ;; udevil expects itself to be run with uid set as root.
+ ;; devmon also expects udevil to be run with uid set as root.
+ ;; user has to manually add udevil to setuid-programs.
+ (lambda _
+ (substitute* "src/udevil.c"
+ (("/usr/bin/udevil") "/run/setuid-programs/udevil"))
+ (substitute* "src/devmon"
+ (("`which udevil 2>/dev/null`") "/run/setuid-programs/udevil"))
#t)))))
(native-inputs
`(("intltool" ,intltool)
--
2.26.2
D
D
Danny Milosavljevic wrote on 1 May 2020 14:24
(name . Raghav Gururajan)(address . raghavgururajan@disroot.org)(address . 40922@debbugs.gnu.org)
20200501142405.75821fbb@scratchpost.org
Hi Raghav,

On Tue, 28 Apr 2020 02:52:28 -0400
Raghav Gururajan <raghavgururajan@disroot.org> wrote:

Toggle quote (5 lines)
> [1] Patched references to mount, umount, losetup and setfacl; as udevil
> expects these programs to have uid set as root.
> [2] Patched references to udevil; as udevil itself and devmon expects
> udevil to have uid set as root.

Why are both needed at the same time? If udevil is setuid root, then the
other tools are invoked as root anyway, right? Or does udevil drop root
privileges? (short look into src/udevil.c suggests yes)

Is there a description from upstream how all that is supposed to work?

Remainder OK.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEds7GsXJ0tGXALbPZ5xo1VCwwuqUFAl6sFOUACgkQ5xo1VCww
uqV62Qf9EZr93902BNUtMkbZOwkfbDqzEZePsaKpFS36/s80NzPSlQz61Gv/Nuy6
eaf73ociQg6vWhxnOSGgGN2KUGeqBBSps4SW+ZlT35HLsKnTYV+eR9AYvXsyZbqa
8cqZ+Mx/TyuRF7jznEttmbPdziP+OWiDIRulg0GokW4Brob/WT8ZzHRGk5fNQVOK
fffrQrNxCm0uOoioOgKtKKZ/rznlyTZjqfTaW2LwfKOEIMI4RtBgc96CuJenCy+e
1Idl+CByl5tm3wDoYdK2fSNj8HUjy2NWxFquKclcSgVmH1HW3LWwTvyA//96Q7af
xOhp+FuvFNxCHa5LBsDjhf3mA7YG7Q==
=/LPD
-----END PGP SIGNATURE-----


R
R
Raghav Gururajan wrote on 1 May 2020 16:05
(name . Danny Milosavljevic)(address . dannym@scratchpost.org)(address . 40922@debbugs.gnu.org)
20200501100506.174e5fa1.raghavgururajan@disroot.org
Hi Danny!

Toggle quote (4 lines)
> Why are both needed at the same time? If udevil is setuid root, then the
> other tools are invoked as root anyway, right? Or does udevil drop root
> privileges? (short look into src/udevil.c suggests yes)

Yes, both are needed at same time. I tried them alternatively, did not work.
As you mentioned, it drops previleges (file:src/udevil.c ; line:5061).

Toggle quote (2 lines)
> Is there a description from upstream how all that is supposed to work?

There is some description in "Set SUID" section of README file

Toggle quote (2 lines)
> Remainder OK.

Thanks!

Regards,
RG.
D
D
Danny Milosavljevic wrote on 1 May 2020 16:38
(name . Raghav Gururajan)(address . raghavgururajan@disroot.org)(address . 40922-done@debbugs.gnu.org)
20200501163838.68e6ba19@scratchpost.org
Pushed to guix master as commit 8546f4da5b3677001dbda6b3a116f5bdc44ea5c0.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEds7GsXJ0tGXALbPZ5xo1VCwwuqUFAl6sNG4ACgkQ5xo1VCww
uqXb/gf+LJtNgP+NvSzMl1hMBozWJOs6QDUTNQIqAqt/s9TsCGbTFFH1r7a4tulh
3U1cN4oXVw51xWgxL6cMrkG9Qv00gfZXB1bxsa+W6PjjKkeogEbBrcr+umO7UhkF
AiQY7l50wuCuYAJe2L5I/FLJki+U7hnC8gMd065AXKOtx2d8Ct3CP1wwF48GyXQ9
y2B6ohTWYIi6ymLsZGZFrkvCXmSAW1odLZcDjbw4z4GqMhxuVCIW1cN2SYyp5zSr
/4xhmAIP3LeP1uiWkdJlCyX5hAItY3dUxoAv+qg7ksDnatPtenMWS9BMmJ/5uLAP
tJ6ZY+drEnRlMDIUekhFvC2rDWOBsw==
=woS0
-----END PGP SIGNATURE-----


Closed
?