unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#28751: GuixSD setuid-programs handling creates setuid binaries in the store
@ 2017-10-08 19:25 Ludovic Courtès
  2017-10-08 19:32 ` Ludovic Courtès
  0 siblings, 1 reply; 5+ messages in thread
From: Ludovic Courtès @ 2017-10-08 19:25 UTC (permalink / raw)
  To: 28751

On GuixSD, ‘activate-setuid-programs’ in (gnu build activation) would
create setuid-root binaries under /gnu/store for all the programs listed
under ‘setuid-programs’ in the ‘operating-system’ declaration.

‘activate-setuid-programs’ in (gnu build activation) does this:

  (define (make-setuid-program prog)
    (let ((target (string-append %setuid-directory
                                 "/" (basename prog))))
      (link-or-copy prog target)
      (chown target 0 0)
      (chmod target #o6555)))

which amounts to:

  1. ln /gnu/store/…/bin/su /run/setuid-programs/su
  2. chmod +s /run/setuid-programs/su

meaning that *both* ‘su’ files become setuid root.

This leads to setuid-root files in the store, which is a violation of a
fundamental assumption that setuid files cannot exist in the store.

Detailed announcement and fix coming.

Ludo’.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2017-12-30  0:29 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-10-08 19:25 bug#28751: GuixSD setuid-programs handling creates setuid binaries in the store Ludovic Courtès
2017-10-08 19:32 ` Ludovic Courtès
2017-10-08 19:54   ` Ludovic Courtès
2017-12-29 23:09     ` Leo Famulari
     [not found]     ` <20171229223329.GA25194@jasmine.lan>
2017-12-30  0:28       ` Ludovic Courtès

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).