From debbugs-submit-bounces@debbugs.gnu.org Sun Feb 12 15:49:00 2023 Received: (at 61462) by debbugs.gnu.org; 12 Feb 2023 20:49:00 +0000 Received: from localhost ([127.0.0.1]:46999 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pRJHP-0004h8-Oy for submit@debbugs.gnu.org; Sun, 12 Feb 2023 15:49:00 -0500 Received: from tobias.gr ([80.241.217.52]:55494) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pRJHE-0004er-51 for 61462@debbugs.gnu.org; Sun, 12 Feb 2023 15:48:49 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=2018; bh=wV433SZDeFgI9 l18IAAEDfYna/0K/bt/arEBFHI/NDU=; h=references:in-reply-to:date: subject:to:from; d=tobias.gr; b=G2IZ/j+z/viCWoWywsjqMP6UwPeBqfuQK6xgfm KWA5ufh0yhp2muuIBxsJuysPEJb4Mialy+C3E8xywSyobpZ2E/dzkxi3DqjQUsT4Z7woh6 rk/6/5IZHeutlPWs1HXnwxepgKtEGa8ltQJRTIkVjD6vdOmSR5OfgyhFf2wZjiEMonkwKW K7n5nBNf6ElXjgn3/fAggmm+7ZJPGXci/jGLVxgATvzkMMg0f4gPflF3Mn1weD2SKstpYc kGTpWS+gEOsET2hGNGl/9VpePkAwAkGcmyqxbYA7OcAhWxeHPKUJGF08vb1zYaybjwjtJ2 C2bI53EidIKC3vST6L95p5YQ== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 112266e7 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for <61462@debbugs.gnu.org>; Sun, 12 Feb 2023 20:48:39 +0000 (UTC) From: Tobias Geerinckx-Rice To: 61462@debbugs.gnu.org Subject: [PATCH 10/10] system: Add privileged-programs to . Date: Sun, 5 Feb 2023 01:00:19 +0100 Message-Id: <20230205000019.6259-10-me@tobias.gr> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230205000019.6259-1-me@tobias.gr> References: <20230205000019.6259-1-me@tobias.gr> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 2.1 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: * gnu/system.scm (): Add new privileged-programs field, that defaults to… (%default-privileged-programs): …this new variable, renamed from… (%setuid-programs): …this, which i [...] Content analysis details: (2.1 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.1 DATE_IN_PAST_96_XX Date: is 96 hours or more before Received: date -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record X-Debbugs-Envelope-To: 61462 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.1 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: * gnu/system.scm (): Add new privileged-programs field, that defaults to… (%default-privileged-programs): …this new variable, renamed from… (%setuid-programs): …this, which i [...] Content analysis details: (1.1 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.1 DATE_IN_PAST_96_XX Date: is 96 hours or more before Received: date -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager * gnu/system.scm (): Add new privileged-programs field, that defaults to… (%default-privileged-programs): …this new variable, renamed from… (%setuid-programs): …this, which is now defined as the empty list. * doc/guix.texi (Setuid Programs): Rename this… (Privileged Programs): …to this. Adjust all refs. Update all mentions of ‘setuid’ (whether in prose, variable names, or code samples) to use the new ‘privilege[d]’ terminology instead. (operating-system Reference, X Window, Desktop Services, Invoking guix system, Service Reference): Adjust likewise. --- doc/guix.texi | 89 ++++++++++++++++++++++------------------- gnu/packages/crypto.scm | 2 +- gnu/services.scm | 1 - gnu/system.scm | 21 ++++++++-- 4 files changed, 65 insertions(+), 48 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 009bcf5d40..7e54abcffb 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -358,7 +358,7 @@ System Configuration * Keyboard Layout:: How the system interprets key strokes. * Locales:: Language and cultural convention settings. * Services:: Specifying system services. -* Setuid Programs:: Programs running with elevated privileges. +* Privileged Programs:: Programs running with elevated privileges. * X.509 Certificates:: Authenticating HTTPS servers. * Name Service Switch:: Configuring libc's name service switch. * Initial RAM Disk:: Linux-Libre bootstrapping. @@ -16146,7 +16146,7 @@ instance to support new system services. * Keyboard Layout:: How the system interprets key strokes. * Locales:: Language and cultural convention settings. * Services:: Specifying system services. -* Setuid Programs:: Programs running with elevated privileges. +* Privileged Programs:: Programs running with elevated privileges. * X.509 Certificates:: Authenticating HTTPS servers. * Name Service Switch:: Configuring libc's name service switch. * Initial RAM Disk:: Linux-Libre bootstrapping. @@ -16591,9 +16591,9 @@ As a user you should @emph{never} need to touch this field. Linux @dfn{pluggable authentication module} (PAM) services. @c FIXME: Add xref to PAM services section. -@item @code{setuid-programs} (default: @code{%setuid-programs}) -List of @code{}. @xref{Setuid Programs}, for more -information. +@item @code{privileged-programs} (default: @code{%default-privileged-programs}) +List of @code{}. @xref{Privileged Programs}, for +more information. @item @code{sudoers-file} (default: @code{%sudoers-specification}) @cindex sudoers file @@ -22047,8 +22047,8 @@ Usually the X server is started by a login manager. @deffn {Scheme Procedure} screen-locker-service @var{package} [@var{program}] Add @var{package}, a package for a screen locker or screen saver whose -command is @var{program}, to the set of setuid programs and add a PAM entry -for it. For example: +command is @var{program}, to the set of privileged programs and add a PAM +entry for it. For example: @lisp (screen-locker-service xlockmore "xlock") @@ -22965,9 +22965,9 @@ to operate with elevated privileges on a limited number of special-purpose system interfaces. Additionally, adding a service of type @code{mate-desktop-service-type} adds the MATE metapackage to the system profile. ``Adding Enlightenment'' means that @code{dbus} is extended -appropriately, and several of Enlightenment's binaries are set as setuid, -allowing Enlightenment's screen locker and other functionality to work as -expected. +appropriately, and several of Enlightenment's binaries are set as privileged +programs, allowing Enlightenment's screen locker and other functionality to +work as expected. The desktop environments in Guix use the Xorg display server by default. If you'd like to use the newer display server protocol @@ -25905,7 +25905,7 @@ remote servers. Run @command{man smtpd.conf} for more information. Make the following commands setgid to @code{smtpq} so they can be executed: @command{smtpctl}, @command{sendmail}, @command{send-mail}, @command{makemap}, @command{mailq}, and @command{newaliases}. -@xref{Setuid Programs}, for more information on setgid programs. +@xref{Privileged Programs}, for more information on setgid programs. @end table @end deftp @@ -37704,8 +37704,8 @@ create and run application bundles (aka. ``containers''). The value for this service is the Singularity package to use. The service does not install a daemon; instead, it installs helper programs as -setuid-root (@pxref{Setuid Programs}) such that unprivileged users can invoke -@command{singularity run} and similar commands. +setuid-root (@pxref{Privileged Programs}) such that unprivileged users can +invoke @command{singularity run} and similar commands. @end defvar @cindex Audit @@ -38136,11 +38136,14 @@ Mode for filter. @c End of auto-generated fail2ban documentation. -@node Setuid Programs -@section Setuid Programs +@node Privileged Programs +@section Privileged Programs +@cindex privileged programs @cindex setuid programs @cindex setgid programs +@cindex capabilities, POSIX +@cindex setcap Some programs need to run with elevated privileges, even when they are launched by unprivileged users. A notorious example is the @command{passwd} program, which users can run to change their @@ -38151,46 +38154,48 @@ obvious security reasons. To address that, @command{passwd} should be (@pxref{How Change Persona,,, libc, The GNU C Library Reference Manual}, for more info about the setuid mechanism). -The store itself @emph{cannot} contain setuid programs: that would be a -security issue since any user on the system can write derivations that +The store itself @emph{cannot} contain privileged programs: that would be +a security issue since any user on the system can write derivations that populate the store (@pxref{The Store}). Thus, a different mechanism is -used: instead of changing the setuid or setgid bits directly on files that -are in the store, we let the system administrator @emph{declare} which +used: instead of directly granting permissions to files that are in +the store, we let the system administrator @emph{declare} which programs should be entrusted with these additional privileges. -The @code{setuid-programs} field of an @code{operating-system} -declaration contains a list of @code{} denoting the +The @code{privileged-programs} field of an @code{operating-system} +declaration contains a list of @code{} denoting the names of programs to have a setuid or setgid bit set (@pxref{Using the Configuration System}). For instance, the @command{mount.nfs} program, which is part of the nfs-utils package, with a setuid root can be designated like this: @lisp -(setuid-program - (program (file-append nfs-utils "/sbin/mount.nfs"))) +(privileged-program + (program (file-append nfs-utils "/sbin/mount.nfs")) + (setuid? #t)) @end lisp And then, to make @command{mount.nfs} setuid on your system, add the previous example to your operating system declaration by appending it to -@code{%setuid-programs} like this: +@code{%default-privileged-programs} like this: @lisp (operating-system ;; Some fields omitted... - (setuid-programs - (append (list (setuid-program - (program (file-append nfs-utils "/sbin/mount.nfs")))) - %setuid-programs))) + (privileged-programs + (append (list (privileged-program + (program (file-append nfs-utils "/sbin/mount.nfs")) + (setuid? #t)) + %default-privileged-programs))) @end lisp -@deftp {Data Type} setuid-program -This data type represents a program with a setuid or setgid bit set. +@deftp {Data Type} privileged-program +This data type represents a program with special privileges, such as setuid @table @asis @item @code{program} -A file-like object having its setuid and/or setgid bit set. +A file-like object to which all given privileges should apply. -@item @code{setuid?} (default: @code{#t}) +@item @code{setuid?} (default: @code{#f}) Whether to set user setuid bit. @item @code{setgid?} (default: @code{#f}) @@ -38207,18 +38212,18 @@ defaults to root. @end table @end deftp -A default set of setuid programs is defined by the -@code{%setuid-programs} variable of the @code{(gnu system)} module. +A default set of privileged programs is defined by the +@code{%default-privileged-programs} variable of the @code{(gnu system)} module. -@defvar %setuid-programs -A list of @code{} denoting common programs that are -setuid-root. +@defvar {Scheme Variable} %default-privileged-programs +A list of @code{} denoting common programs with +elevated privileges. The list includes commands such as @command{passwd}, @command{ping}, @command{su}, and @command{sudo}. @end defvar -Under the hood, the actual setuid programs are created in the +Under the hood, the actual privileged programs are created in the @file{/run/privileged/bin} directory at system activation time. The files in this directory refer to the ``real'' binaries, which are in the store. @@ -39089,7 +39094,7 @@ once @command{reconfigure} has completed. @end quotation This effects all the configuration specified in @var{file}: user -accounts, system services, global package list, setuid programs, etc. +accounts, system services, global package list, privileged programs, etc. The command starts system services specified in @var{file} that are not currently running; if a service is currently running this command will arrange for it to be upgraded the next time it is stopped (e.g.@: by @@ -40535,10 +40540,10 @@ tiresome to create multiple records with it so in practice the procedure @end quotation @end defvar -@defvar setuid-program-service-type -Type for the ``setuid-program service''. This service collects lists of +@defvar privileged-program-service-type +Type for the ``privileged-program service''. This service collects lists of executable file names, passed as gexps, and adds them to the set of -setuid and setgid programs on the system (@pxref{Setuid Programs}). +privileged programs on the system (@pxref{Privileged Programs}). @end defvar @defvar profile-service-type diff --git a/gnu/packages/crypto.scm b/gnu/packages/crypto.scm index 57a42a6a84..87c26f10ad 100644 --- a/gnu/packages/crypto.scm +++ b/gnu/packages/crypto.scm @@ -499,7 +499,7 @@ (define-public tomb `(#:make-flags (list (string-append "PREFIX=" (assoc-ref %outputs "out"))) ;; The "sudo" input is needed only to satisfy dependency checks in the ;; 'check' phase. The "sudo" used at runtime should come from the - ;; system's setuid-programs, so ensure no reference is kept. + ;; system's privileged-programs, so ensure no reference is kept. #:disallowed-references (,sudo) ;; TODO: Build and install gtk and qt trays #:phases diff --git a/gnu/services.scm b/gnu/services.scm index 09ff58dcd1..9825f4a4a5 100644 --- a/gnu/services.scm +++ b/gnu/services.scm @@ -44,7 +44,6 @@ (define-module (gnu services) #:use-module (gnu packages bash) #:use-module (gnu packages hurd) #:use-module (gnu system privilege) - #:use-module (gnu system setuid) #:use-module (srfi srfi-1) #:use-module (srfi srfi-9) #:use-module (srfi srfi-9 gnu) diff --git a/gnu/system.scm b/gnu/system.scm index 3b66847b4f..1a22dc65f5 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -75,6 +75,7 @@ (define-module (gnu system) #:use-module (gnu system locale) #:use-module (gnu system pam) #:use-module (gnu system linux-initrd) + #:use-module (gnu system privilege) #:use-module (gnu system setuid) #:use-module (gnu system uuid) #:use-module (gnu system file-systems) @@ -128,6 +129,7 @@ (define-module (gnu system) operating-system-keyboard-layout operating-system-name-service-switch operating-system-pam-services + operating-system-privileged-programs operating-system-setuid-programs operating-system-skeletons operating-system-sudoers-file @@ -173,6 +175,7 @@ (define-module (gnu system) local-host-aliases ;deprecated local-host-entries %root-account + %default-privileged-programs %setuid-programs %sudoers-specification %base-packages @@ -296,7 +299,10 @@ (define-record-type* operating-system (pam-services operating-system-pam-services ; list of PAM services (default (base-pam-services))) + (privileged-programs operating-system-privileged-programs ; list of + (default %default-privileged-programs)) (setuid-programs operating-system-setuid-programs + ;; For backwards compatibility; will be removed. (default %setuid-programs)) ; list of (sudoers-file operating-system-sudoers-file ; file-like @@ -785,7 +791,8 @@ (define known-fs (host-name-service host-name) procs root-fs (service privileged-program-service-type - (operating-system-setuid-programs os)) + (append (operating-system-privileged-programs os) + (operating-system-setuid-programs os))) (service profile-service-type (operating-system-packages os)) boot-fs non-boot-fs @@ -826,7 +833,8 @@ (define (hurd-default-essential-services os) (service hosts-service-type (local-host-entries host-name))) (service privileged-program-service-type - (operating-system-setuid-programs os)) + (append (operating-system-privileged-programs os) + (operating-system-setuid-programs os))) (service profile-service-type (operating-system-packages os))))) (define* (operating-system-services os) @@ -1213,8 +1221,7 @@ (define (operating-system-environment-variables os) ;; TODO: Remove when glibc@2.23 is long gone. ("GUIX_LOCPATH" . "/run/current-system/locale"))) -(define %setuid-programs - ;; Default set of setuid-root programs. +(define %default-privileged-programs (let ((shadow (@ (gnu packages admin) shadow))) (map file-like->setuid-program (list (file-append shadow "/bin/passwd") @@ -1236,6 +1243,12 @@ (define %setuid-programs (file-append util-linux "/bin/mount") (file-append util-linux "/bin/umount"))))) +(define %setuid-programs + ;; Do not add to this list or use it in new code! It's defined only to ease + ;; transition to %default-privileged-programs and will be removed. Some rare + ;; use cases already break, such as the obvious (remove … %setuid-programs). + '()) + (define %sudoers-specification ;; Default /etc/sudoers contents: 'root' and all members of the 'wheel' ;; group can do anything. See -- 2.39.1