[PATCH] gnu: system: Privilege programs after creating accounts.

  • Open
  • quality assurance status badge
Details
One participant
  • Dariqq
Owner
unassigned
Submitted by
Dariqq
Severity
normal
D
D
Dariqq wrote 4 days ago
(address . guix-patches@gnu.org)(name . Dariqq)(address . dariqq@posteo.net)
aa111d331df102534aa8850b1be424b2391599ee.1728719758.git.dariqq@posteo.net
Ensure that users and groups are already created when the privileging script
runs. The order these scripts appear in the folded activation-service depends
on the order these services are instantiated in the operating-system.


* gnu/system.scm (operating-system-default-essential-services): Move
privileged-program-service above account-service.
(hurd-default-essential-services): Likewise.

Change-Id: I662fb1eff42e4088496fccb76e0efbf2b1da096e
---
Hi,
I tested that this fixes my problem of setting something suid to a new user. For the hurd change i only looked at the final value of activation-service type in hurd-barebones-os and confirmed that
'#<gexp gnu/system/shadow.scm:430:4>' is before #<gexp gnu/services.scm:922:6> (which is the privileging script).
I would prefer a solution that also models this dependency to not depend on input order but this might be tricky.


gnu/system.scm | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)

Toggle diff (52 lines)
diff --git a/gnu/system.scm b/gnu/system.scm
index 44f93f91d1..c19730b331 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -809,6 +809,11 @@ (define (operating-system-default-essential-services os)
%shepherd-root-service
(pam-root-service (operating-system-pam-services os))
+ ;; Make sure that privileged-programs activation script
+ ;; runs after accounts are created
+ (service privileged-program-service-type
+ (append (operating-system-privileged-programs os)
+ (operating-system-setuid-programs os)))
(account-service (append (operating-system-accounts os)
(operating-system-groups os))
(operating-system-skeletons os))
@@ -826,9 +831,6 @@ (define (operating-system-default-essential-services os)
(operating-system-environment-variables os))
(service host-name-service-type host-name)
procs root-fs
- (service privileged-program-service-type
- (append (operating-system-privileged-programs os)
- (operating-system-setuid-programs os)))
(service profile-service-type
(operating-system-packages os))
boot-fs non-boot-fs
@@ -850,6 +852,11 @@ (define (hurd-default-essential-services os)
(service shepherd-root-service-type)
(service user-processes-service-type)
+ ;; Make sure that privileged-programs activation script
+ ;; runs after accounts are created
+ (service privileged-program-service-type
+ (append (operating-system-privileged-programs os)
+ (operating-system-setuid-programs os)))
(account-service (append (operating-system-accounts os)
(operating-system-groups os))
(operating-system-skeletons os))
@@ -866,9 +873,6 @@ (define (hurd-default-essential-services os)
(list `("hosts" ,hosts-file)))
(service hosts-service-type
(local-host-entries host-name)))
- (service privileged-program-service-type
- (append (operating-system-privileged-programs os)
- (operating-system-setuid-programs os)))
(service profile-service-type (operating-system-packages os)))))
(define* (operating-system-services os)

base-commit: b8fd792ea267cb920da0651074a533d8abf00488
--
2.46.0
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 73767@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 73767
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch