Undefined activation ordering between ‘setuid-p rogram-service-type’ and ‘account-service-type’
(address . bug-guix@gnu.org)
878rf24dqz.fsf@psyduck.jhoto.kublai.com
There is currently no way to ensure that an account exists before
creating /run/setuid-programs, which means a setuid-program which
uses a custom user or group will fail to be created if setuid
activation happens before account activation.
As an example, here's a system config where I'm trying to install
‘/run/setuid-programs/dumpcap’ as setuid root with a primary group
of ‘wireshark’, also created by this config:
Toggle snippet (72 lines)
(use-modules (gnu)
(gnu system setuid))
(use-package-modules networking)
(use-service-modules setuid)
;; TODO: make name configurable
(define %wireshark-groups
(list (user-group
(name "wireshark")
(system? #t))))
(define %wireshark-setuid-programs
(list (setuid-program
(program (file-append wireshark "/bin/dumpcap"))
(group "wireshark")
#;(mask #o550))))
(define wireshark-service-type
(service-type
(name 'wireshark)
(description "Allow use of wireshark by regular users in the
@code{wireshark} group.")
(extensions
(list (service-extension account-service-type
(const %wireshark-groups))
(service-extension setuid-program-service-type
(const %wireshark-setuid-programs))))
(default-value #f)))
(operating-system
(locale "en_US.utf8")
(timezone "America/New_York")
(keyboard-layout (keyboard-layout "us"))
(host-name "wireshark-test")
(users (cons* (user-account
(name "test")
(group "users")
(password (crypt "test" "$6$test"))
(supplementary-groups
'("wireshark")))
%base-user-accounts))
(packages
(cons*
(specification->package "wireshark")
%base-packages))
(services
(cons*
(service wireshark-service-type)
%base-services))
(bootloader
(bootloader-configuration
(bootloader grub-efi-bootloader)
(targets '("/boot/efi"))
(keyboard-layout keyboard-layout)))
(file-systems
(cons* (file-system
(mount-point "/")
(device
(uuid "14f4e958-be9e-41bb-bd25-e90a7330093c"
'btrfs))
(type "btrfs"))
(file-system
(mount-point "/boot/efi")
(device (uuid "6866-56B1" 'fat32))
(type "vfat"))
%base-file-systems)))
When trying to boot this system in a VM, I'm told that the dumpcap
binary couldn't be created because the file wasn't found. The
returned error is improperly attributed: the source file does
exist, and the error code is actually coming from getgrent(3)
which cannot find the ‘wireshark’ group.
Tracing through the activation scripts shows this to be because,
in this case, setuid-program activation happens before
account-activation.
Thanks to jpoiret for doing a lot of the investigative work here,
which I'm merely verifying through testing.
I believe the correct solution here is to move ‘setuid-program’
activation to a one-shot Shepherd service, because Shepherd allows
explicit ordering, as well as other advantages. To that end, I
have a patch which does precisely that, which I will send to the
patches list shorty.
-bjc