services: opensmtpd: Fix the setgid problem for the smtpctl utility.

DoneSubmitted by maxim.cournoyer.
Details
5 participants
  • Brice Waegeneire
  • Jonathan Brielmaier
  • Christopher Baines
  • maxim.cournoyer
  • Tobias Geerinckx-Rice
Owner
unassigned
Severity
normal
M
M
maxim.cournoyer wrote on 8 Jun 2020 19:46
(name . guix-patches)(address . guix-patches@gnu.org)(name . Christopher Baines)(address . mail@cbaines.net)
87eeqpih6q.fsf@hurd.i-did-not-set--mail-host-address--so-tickle-me
Hello!

The following patches provide a mean to specify a user and group for a
setuid program, and uses that to fix a setgid permission issue in the
context of the opensmtpd service.

Christopher, you should be able to leverage this new facility to
configure the uid/gid of the sendmail program to that of the smtpq user,
like this:

Toggle snippet (6 lines)
(operating-system)
[...]
(setuid-programs (cons (list (file-append sendmail "/usr/sbin/sendmail") "smtpq")
%setuid-programs))

The smtpq user is created as part of the OpenSMTPD service definition.

Thank you,
From e1b8840da16fb531f6607892ebf08f2d5472b962 Mon Sep 17 00:00:00 2001
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Date: Sun, 7 Jun 2020 23:01:49 -0400
Subject: [PATCH 1/3] services: Allow configuring the ownership of setuid
programs.


* gnu/build/activation.scm (activate-setuid-programs): Update doc. Allow a
program entry to be a list that may include a user and a group.
[make-setuid-program] New USER and GROUP keyword parameters. Move the error
handling inside the MAKE-SETUID-PROGRAM helper procedure.
* gnu/services.scm (setuid-program-service-type): Update doc.
* doc/guix.texi (Setuid Programs): Update doc.
---
doc/guix.texi | 17 +++++++++++---
gnu/build/activation.scm | 48 +++++++++++++++++++++++++---------------
gnu/services.scm | 17 ++++++++++++--
3 files changed, 59 insertions(+), 23 deletions(-)

Toggle diff (149 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 056bf011f6..83d7344bd8 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -26429,14 +26429,25 @@ should be setuid root.
 
 The @code{setuid-programs} field of an @code{operating-system}
 declaration contains a list of G-expressions denoting the names of
-programs to be setuid-root (@pxref{Using the Configuration System}).
-For instance, the @command{passwd} program, which is part of the Shadow
-package, can be designated by this G-expression (@pxref{G-Expressions}):
+programs to be setuid (@pxref{Using the Configuration System}).  The
+user and group ownership of the setuid program default to @code{root},
+but can be specified by declaring them along the file name of the
+program.  For instance, the @command{passwd} program, which is part of
+the Shadow package, can be designated as a setuid-root porgram by this
+G-expression (@pxref{G-Expressions}):
 
 @example
 #~(string-append #$shadow "/bin/passwd")
 @end example
 
+As a second example, the @command{smtpctl} program, which is part of the
+OpenSMTPD package, requires to have its group set to @samp{smtpq}.
+This can be specified using:
+
+@example
+(list (file-append opensmtpd "/bin/smtpctl") "smtpq" "smtpq")
+@end example
+
 A default set of setuid programs is defined by the
 @code{%setuid-programs} variable of the @code{(gnu system)} module.
 
diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm
index 30f5e87d5a..6be3664d44 100644
--- a/gnu/build/activation.scm
+++ b/gnu/build/activation.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2020 Maxim Cournoyer <maxim.cournoyer@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -227,14 +228,28 @@ they already exist."
   "/run/setuid-programs")
 
 (define (activate-setuid-programs programs)
-  "Turn PROGRAMS, a list of file names, into setuid programs stored under
-%SETUID-DIRECTORY."
-  (define (make-setuid-program prog)
+  "Turn PROGRAMS, a list of file names and/or of nested lists composed of a
+file name, a user and a group, into setuid programs stored under
+%SETUID-DIRECTORY.  The user and group default to \"root\" and affect the
+ownership of the associated file name."
+  (define* (make-setuid-program prog #:key (user "root") (group user))
     (let ((target (string-append %setuid-directory
                                  "/" (basename prog))))
-      (copy-file prog target)
-      (chown target 0 0)
-      (chmod target #o6555)))
+      (catch 'system-error
+        (lambda ()
+          (let ((uid (passwd:uid (getpwnam user)))
+                (gid (group:gid (getgrnam group))))
+            (copy-file prog target)
+            (chown target uid gid)
+            (chmod target #o6555)))
+        (lambda args
+          ;; If we fail to create a setuid program, better keep going
+          ;; so that we don't leave %SETUID-DIRECTORY empty or
+          ;; half-populated.  This can happen if PROGRAMS contains
+          ;; incorrect file names: <https://bugs.gnu.org/38800>.
+          (format (current-error-port)
+                  "warning: failed to make '~a' setuid (~a:~a): ~a~%"
+                  prog user group (strerror (system-error-errno args)))))))
 
   (format #t "setting up setuid programs in '~a'...~%"
           %setuid-directory)
@@ -247,18 +262,15 @@ they already exist."
                          string<?))
       (mkdir-p %setuid-directory))
 
-  (for-each (lambda (program)
-              (catch 'system-error
-                (lambda ()
-                  (make-setuid-program program))
-                (lambda args
-                  ;; If we fail to create a setuid program, better keep going
-                  ;; so that we don't leave %SETUID-DIRECTORY empty or
-                  ;; half-populated.  This can happen if PROGRAMS contains
-                  ;; incorrect file names: <https://bugs.gnu.org/38800>.
-                  (format (current-error-port)
-                          "warning: failed to make '~a' setuid-root: ~a~%"
-                          program (strerror (system-error-errno args))))))
+  (for-each (match-lambda
+              ((program user group)
+               (make-setuid-program program #:user user #:group group))
+              ((program user)
+               (make-setuid-program program #:user user))
+              ((program)
+               (make-setuid-program program))
+              (program
+               (make-setuid-program program)))
             programs))
 
 (define (activate-special-files special-files)
diff --git a/gnu/services.scm b/gnu/services.scm
index 2e4648bf78..19a1c38ceb 100644
--- a/gnu/services.scm
+++ b/gnu/services.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2016 Chris Marusich <cmmarusich@gmail.com>
+;;; Copyright © 2020 Maxim Cournoyer <maxim.cournoyer@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -681,12 +682,24 @@ FILES must be a list of name/file-like object pairs."
                  (list (service-extension activation-service-type
                                           (lambda (programs)
                                             #~(activate-setuid-programs
-                                               (list #$@programs))))))
+                                               (quote (#$@programs)))))))
                 (compose concatenate)
                 (extend append)
                 (description
                  "Populate @file{/run/setuid-programs} with the specified
-executables, making them setuid-root.")))
+executables, making them setuid.  The PROGRAMS entries extending the
+setuid-program-service-type is a list of file-like objects.  Alternatively to
+file-like objects, nested lists containing a file-like object, a user and a
+group can be used to control the ownership of the associated file.
+
+Example:
+
+(list (file-append shadow \"/bin/passwd\")
+      (list (file-append opensmtpd \"/bin/smtpctl\") \"root\" \"smtpq\"))
+
+The @command{passwd} program has both its user and group set to the
+default \"root\" while the @command{smtpctl} program has its user set to
+\"root\" and its group set to \"smtpq\".")))
 
 (define (packages->profile-entry packages)
   "Return a system entry for the profile containing PACKAGES."
-- 
2.26.2
From 01c1ab83bf6f5a8158a993de2fa0048f6d172a73 Mon Sep 17 00:00:00 2001
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Date: Sun, 7 Jun 2020 23:49:25 -0400
Subject: [PATCH 2/3] services: opensmtpd: Remove unused binding.

* gnu/services/mail.scm (opensmtpd-activation): Remove unused SMTPD variable
binding.
---
gnu/services/mail.scm | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)

Toggle diff (30 lines)
diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm
index cfcaf4601b..7c49d99e9f 100644
--- a/gnu/services/mail.scm
+++ b/gnu/services/mail.scm
@@ -1665,15 +1665,14 @@ match from local for any action outbound
 (define opensmtpd-activation
   (match-lambda
     (($ <opensmtpd-configuration> package config-file)
-     (let ((smtpd (file-append package "/sbin/smtpd")))
-       #~(begin
-           (use-modules (guix build utils))
-           ;; Create mbox and spool directories.
-           (mkdir-p "/var/mail")
-           (mkdir-p "/var/spool/smtpd")
-           (chmod "/var/spool/smtpd" #o711)
-           (mkdir-p "/var/spool/mail")
-           (chmod "/var/spool/mail" #o711))))))
+     #~(begin
+         (use-modules (guix build utils))
+         ;; Create mbox and spool directories.
+         (mkdir-p "/var/mail")
+         (mkdir-p "/var/spool/smtpd")
+         (chmod "/var/spool/smtpd" #o711)
+         (mkdir-p "/var/spool/mail")
+         (chmod "/var/spool/mail" #o711)))))
 
 (define %opensmtpd-pam-services
   (list (unix-pam-service "smtpd")))
-- 
2.26.2
From 52a1a031e6a7c0196cf17d0bd32061d02b453df8 Mon Sep 17 00:00:00 2001
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Date: Sun, 7 Jun 2020 23:52:00 -0400
Subject: [PATCH 3/3] services: opensmtpd: Fix the setgid problem for the
smtpctl utility.

The utility was complaining that it wasn't setgid to the group ID of the
"smtpq" group.

* gnu/services/mail.scm (opensmtpd-service-type): Extend the
setuid-program-service-type with the smtpctl program.
---
gnu/services/mail.scm | 7 +++++++
1 file changed, 7 insertions(+)

Toggle diff (27 lines)
diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm
index 7c49d99e9f..96efbd951d 100644
--- a/gnu/services/mail.scm
+++ b/gnu/services/mail.scm
@@ -1662,6 +1662,11 @@ match from local for any action outbound
          (home-directory "/var/empty")
          (shell (file-append shadow "/sbin/nologin")))))
 
+(define (opensmtpd-setuid-programs opensmtpd-configuration)
+  (let ((smtpctl (file-append (opensmtpd-configuration-package
+                               opensmtpd-configuration) "/sbin/smtpctl")))
+    (list (list smtpctl "smtpq"))))
+
 (define opensmtpd-activation
   (match-lambda
     (($ <opensmtpd-configuration> package config-file)
@@ -1683,6 +1688,8 @@ match from local for any action outbound
    (extensions
     (list (service-extension account-service-type
                              (const %opensmtpd-accounts))
+          (service-extension setuid-program-service-type
+                             opensmtpd-setuid-programs)
           (service-extension activation-service-type
                              opensmtpd-activation)
           (service-extension pam-root-service-type
-- 
2.26.2
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEJ9WGpPiQCFQyn/CfEmDkZILmNWIFAl7eeX0ACgkQEmDkZILm
NWJXDg/+JGbUaMn8GMdk4Ek1ZJSsZusQWvzXR+ie82wLZ51LtpuAmNmtFeYiODe7
UYMVZGXTLhRqhwxdEoQUE6+i1H1Y3qj9D8nl6223/ZU63czuFb7JiQ6QmeU6KGao
Un/yVZyERznxeUUvqZQlH3oPLQglvc1K2w+zcAhdcCf2GJjJjkGoOrvI5hQ/sueh
/E8GG71FqGPMT3MRaHc7G4T1GDAXFlHK9YmLwFzRLPnEAQMVlMidw8EgKd7g1ZWT
tE+1iQbyrNpodDHUDTotWUtFxKmyFovm3ct3K3xFs3Ao6EwVZfJqNvNJlx7O6IiH
Nat8Z5H0zZ6MwCiEJToetZfNSG+rRX0jpGwDRDBx6hwXxCEslHUGbyBGyZlQQuji
PYYpqWzQYAzpv8ijnsIYYFoowopABGfvZlWTtXBgLyNETgli1pQTxT5H/a8Tkm7t
ySDI9+2nPnJilirnTUFynspUWL0oYzJExi5ZLnt1yNU9mwmFTKecM2mx5q6wjXBY
erTN+2JwfW7X2Nrb8JNJKHoDBUJpGmj8lvIZoTcB4B46vkDzCcC497fpFaGAuh3f
kO6TC+NABNncXRGTsaf5rIS7HwIFBZkfmrNTaEX4AwFzzo8D7RZ3q8kW/m9LgEzR
zvyW3CVQBoKiqyoPoxTum0Bsw7FG8YrhWoj7ECdQwzHY7qj5OJs=
=FFdP
-----END PGP SIGNATURE-----

C
C
Christopher Baines wrote on 11 Jun 2020 21:20
(address . maxim.cournoyer@gmail.com)(address . 41763@debbugs.gnu.org)
87v9jx8l5l.fsf@cbaines.net
maxim.cournoyer@gmail.com writes:

Toggle quote (22 lines)
> The following patches provide a mean to specify a user and group for a
> setuid program, and uses that to fix a setgid permission issue in the
> context of the opensmtpd service.
>
> Christopher, you should be able to leverage this new facility to
> configure the uid/gid of the sendmail program to that of the smtpq user,
> like this:
>
> --8<---------------cut here---------------start------------->8---
> (operating-system)
> [...]
> (setuid-programs (cons (list (file-append sendmail "/usr/sbin/sendmail") "smtpq")
> %setuid-programs))
> --8<---------------cut here---------------end--------------->8---
>
> The smtpq user is created as part of the OpenSMTPD service definition.
>
> Thank you,
>
>
> Maxim

Well, thank you for looking in to this Maxim. I've had a brief look
through the patches, although I don't know enough about this area to
comment properly on them.

I wonder if it's worth using a record type to make it possible to pass
the user and group values to the service. That would probably result in
more readable configuration than just using a list of varying length.

Specifically on the diff:

- (list #$@programs))))))
+ (quote (#$@programs)))))))

This change here will mean that you can't pass some values in, as they
won't be evaluated. #~(string-append sendmail "/usr/sbin/sendmail")
would no longer work for example.

Thanks again,

Chris
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEPonu50WOcg2XVOCyXiijOwuE9XcFAl7ig+ZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF
ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcACgkQXiijOwuE
9XfQ5w//TdCjyIV7Il7qPxVxVkms4DPVxiCBM7owp8+Pd7alvSs1RucW/ItAJFGJ
cqiOpK52A9TOQ6Nn5RgWvKR9F4LVQ/kg8kLEWsTtjAetoQU5fv5MnraN8q7Jkeej
PZtFj1h5HoBbVVxPSNcMVsX/l2WwrLZ0GzdNDYTH5PPovlMFSL1Vr1CEe8mvDAnL
LJ8znjXz149b9DS+aqWx+SOFyR3e+6cNdyfVIe0tFlum+QjIUXt+9iCr1RVc2WJB
QKPPCabnzyVuSz8p7pQHoUlxgO+9hDmoZKPVeZQ4NuzBLqZ4Jqzyc+2ydg8nKcBJ
58GcTmZUrd/QmSpzZpJWw6ljhhY0iapGeVKI+x+sHrXIepVLw3Vh50exOCvSYMit
HBJ7C4qRFmQZ/I+9CuyHHdCJGWftre0s0nQf8jaEkRoFeuI2uOqQKP3O2TsQKlRN
j1wZy8zRxT1XIITtyl8r7s3/LANUCj6PSXvOrKAeWuBT8CuHxXjekywuIHw1fU2X
Xp8SVuC8hVsoFisR6N+zJrg7EkPolyQsjw5a3TIxW1/aVuMXvro8ptVsika6bExJ
j/vGYHT7jtmdQoKNNTPfkPYyvPnSAFjUx/V273uaH1Z802Bm398qqwVEwr8V9Qf4
9JOCiJ48svqO5zrrjJuoajLjo7/v/X1bdUNL8C0qg5B8YweeEY8=
=5aP7
-----END PGP SIGNATURE-----

B
B
Brice Waegeneire wrote on 15 Jun 2020 17:12
Re: [bug#41763] services: opensmtpd: Fix the setgid problem for the smtpctl utility.
(address . maxim.cournoyer@gmail.com)
87d060747r.fsf@waegenei.re
Hello Maxim,

Thank you for the patchset!

maxim.cournoyer@gmail.com writes:

Toggle quote (4 lines)
> The following patches provide a mean to specify a user and group for a
> setuid program, and uses that to fix a setgid permission issue in the
> context of the opensmtpd service.

I applied it to try to use wireshark as non-root[0]:

Toggle snippet (7 lines)
(simple-service 'wireshark-group account-service-type
(list (user-group (name "wireshark") (system? #t))))
(simple-service 'wireshark-dumpcap setuid-program-service-type
(list (list (file-append wireshark "/bin/dumpcap")
"root" "wireshark")))

And unfortunately the first run of “guix reconfigure“ failed to make
“dumpcap“ as a setuid, but subsequent run succeeded:

Toggle snippet (7 lines)
[…]
setting up setuid programs in '/run/setuid-programs'...
warning: failed to make '/gnu/store/vdlk9rli5k5svy8p7bhf90ln03ybnxgj-wireshark-3.2.4/bin/dumpcap' setuid (root:wireshark): Success
populating /etc from /gnu/store/hxjyvg80zjaxfynjyk3jgqsn9249azmx-etc...
[…]

I guess it's because at first there wasn't a wireshark group on my
system, adding the group and the setuid program was done in the same
run, but “setting up setuid programs” is done before “populating /etc”
(comprising /etc/passwd) which in effect ended up trying to setuid
“dumpcap“ before the “wireshark“ group exists. And subsequent runs
succeeded creating a setuid “dumpcap” because the new group was already
on the system, it was created during the first run.

Populating /etc before setting up /run/setuid-programs should fix that
issue but maybe there is reason behind the current order of execution.

Toggle quote (10 lines)
> Christopher, you should be able to leverage this new facility to
> configure the uid/gid of the sendmail program to that of the smtpq user,
> like this:
>
> (operating-system)
> [...]
> (setuid-programs (cons (list (file-append sendmail "/usr/sbin/sendmail") "smtpq")
> %setuid-programs))
>

Aside from that I wonder if specifying user and group in a list is
future proof, maybe using a record would be more Guixy. In particular I
would like to be able to set capabilities (as with “setcap“) on binaries
since the store don't support it[1]; if that's even possible but it's an
other issue.


- Brice
B
B
Brice Waegeneire wrote on 5 Jul 2020 13:47
Block #41874
(address . control@debbugs.gnu.org)
9667f027e8609b9f83d0d2a6773bb8de@waegenei.re
block 41874 with 41763
J
J
Jonathan Brielmaier wrote on 3 Jan 2021 15:14
services: opensmtpd: Fix the setgid problem for the smtpctl utility.
(address . 41763@debbugs.gnu.org)
5aa8fff2-b4e6-8cba-e396-cd5c7a144fbc@web.de

What does us block from merging this? It hits me hard when using OpenSMTPD.
T
T
Tobias Geerinckx-Rice wrote on 3 Jan 2021 15:49
(address . 41763@debbugs.gnu.org)
87lfda5b3e.fsf@nckx
Jonathan Brielmaier 写道:
Toggle quote (2 lines)
> What does us block from merging this?

Reading [0], Chris & Brice bring up two good points that I don't
see addressed: using a record instead of a list & not breaking
gexps, although fixing one would probably moot the other.

Kind regards,

T G-R

-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCX/HZlQ0cbWVAdG9iaWFz
LmdyAAoJEA2w/4hPVW15NHIBAKrJR1+Baz9JB8K2wvHNLBnwHH1XIuMG//rWiOZa
3OuVAP9CsnxR5Ta1t19pyjXrdhMzidBhPea8LdaoaNB5SF+PAA==
=LZhz
-----END PGP SIGNATURE-----

M
M
Maxim Cournoyer wrote on 16 Jul 2021 06:24
Re: bug#41763: services: opensmtpd: Fix the setgid problem for the smtpctl utility.
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)
874kcunawx.fsf_-_@gmail.com
Hello,

Tobias Geerinckx-Rice <me@tobias.gr> writes:

Toggle quote (13 lines)
> Jonathan Brielmaier 写道:
>> What does us block from merging this?
>
> Reading [0], Chris & Brice bring up two good points that I don't see
> addressed: using a record instead of a list & not breaking gexps,
> although fixing one would probably moot the other.
>
> Kind regards,
>
> T G-R
>
> [0]: http://issues.guix.gnu.org/41763


Thanks,

Maxim
Closed
T
T
Tobias Geerinckx-Rice wrote on 16 Jul 2021 07:37
(address . 41763@debbugs.gnu.org)
e7296590fd5ed6676150904fe2a297ab@tobias.gr
Toggle quote (2 lines)
Yes please. Thanks.

T G-R

Sent from a Web browser. Excuse or enjoy my brevity.
?
Your comment

This issue is archived.

To comment on this conversation send email to 41763@debbugs.gnu.org