From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id SBo5LZf2A2cfXgEA62LTzQ:P1 (envelope-from ) for ; Mon, 07 Oct 2024 14:56:23 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id SBo5LZf2A2cfXgEA62LTzQ (envelope-from ) for ; Mon, 07 Oct 2024 16:56:23 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b="q2/0sNLZ"; dkim=fail ("headers rsa verify failed") header.d=posteo.net header.s=2017 header.b=pO2N42r2; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (strict), DKIM not aligned (strict)" header.from=posteo.net (policy=none) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1728312983; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=CfRVT3ohZS3XLcCUtWhfXb8l4gbvbjlnft6sZoDrCD8=; b=HogjBSF7JyI9TN21kQpUz4mOmwzk6Jjqo+fYrSFNwpuhWOtqrXxQJnFbg58njOTAyekUE1 oTaa4bxL2IAgAID5J1+1SZdnltH4Neig33uIxuk1AElLXX7A2kcIGnlzdc0ae3aVI55inE Jym4udU7RcyUXIBWLQI0BnSHRS5ZRET78iDXwTcbO6Vbx3M+C2s9YXH7xHY4/pOI7r7cbo s+z16ZynLPKesGz0czQuc7j0DG0GA3ItsyZkQSQa09EztsiNDtm3F0eFpDJCjBzvSQu4Cf 36u53JuIgxEaxquowYtEaDzNLeJp2raYqls/Q2uHS8GBDjXV/jo9rTSNfDR8xw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b="q2/0sNLZ"; dkim=fail ("headers rsa verify failed") header.d=posteo.net header.s=2017 header.b=pO2N42r2; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (strict), DKIM not aligned (strict)" header.from=posteo.net (policy=none) ARC-Seal: i=1; s=key1; d=yhetil.org; t=1728312983; a=rsa-sha256; cv=none; b=sfbWrb80k0+V+gNhZf7dcuLRRC1209bnU0VbXQorcMaZ5fx4El8/Rq/Ecvo4ZPVlshlPY3 YCAJhmBBHeSFLdFsIHOODtd+ZZOgw75OtE1VdVk4uSV717upUOY2Vmw+bUAf5OgIWEt0cX qt9xv08LGkjb+IWsQLQMYnQvBzf68RYzbg+T1vkVicFpiZn7KMh1ahv6FMpbA/Jef5RIJy YOjlxCEd9zss3anmIl0BN7Eqza8GekP45XNmP9W+Zu8H9q1edq2s2k5aYeXoOuqrXuIqWG R8QubY0p8x4G/aQDtY0hJGhScIeAWDafkpXvtwXJaR3RNRSNtZaQBbTGg6pwpg== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 2546D8E189 for ; Mon, 07 Oct 2024 16:56:22 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sxp9R-0001eb-An; Mon, 07 Oct 2024 10:55:57 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sxp9P-0001eM-L5 for bug-guix@gnu.org; Mon, 07 Oct 2024 10:55:55 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sxp9P-0004yr-Cw for bug-guix@gnu.org; Mon, 07 Oct 2024 10:55:55 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=From:MIME-Version:Date:To:Subject; bh=CfRVT3ohZS3XLcCUtWhfXb8l4gbvbjlnft6sZoDrCD8=; b=q2/0sNLZyAABFRF/UMW6i9bFnozKua5ehKaqe5dnmoVwmatb+iu0vwtpBGdmpxFIccgaxtGvyGGxuvtu5FRsllVFS5jdU+nCAT9r+7x8mZ65dlkn4TfG2lbr1YEtvJO3nz7W6WnqdpUy8c9V4PjQGFrNZflV//2s3gA0NgVPZrmGDMmnx8Qcvjg+ao2zwa2euSVqzm7dYvhhP0wYuUmO5/ocXPEK0rmlgCnVdhyTefcjMtFYGMFRf+tuWDA+yP0bIaFtijb5hlliPa/LNHPczW7nL7kPU/iysPX4EM6OBtJmpVZuhV+PyEtj1NoVSXypHnr5JXFF3DhuUlDBpOLX3A==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1sxp9W-0000up-Nk for bug-guix@gnu.org; Mon, 07 Oct 2024 10:56:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#73680: privileged-programs: cant set setuid/setgid to new accounts/groups Resent-From: Dariqq Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 07 Oct 2024 14:56:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 73680 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 73680@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.17283129493491 (code B ref -1); Mon, 07 Oct 2024 14:56:02 +0000 Received: (at submit) by debbugs.gnu.org; 7 Oct 2024 14:55:49 +0000 Received: from localhost ([127.0.0.1]:47329 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sxp9I-0000uF-TW for submit@debbugs.gnu.org; Mon, 07 Oct 2024 10:55:49 -0400 Received: from lists.gnu.org ([209.51.188.17]:51172) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sxp9G-0000u7-VF for submit@debbugs.gnu.org; Mon, 07 Oct 2024 10:55:47 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sxp97-0001da-Px for bug-guix@gnu.org; Mon, 07 Oct 2024 10:55:38 -0400 Received: from mout01.posteo.de ([185.67.36.65]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sxp94-0004xz-DM for bug-guix@gnu.org; Mon, 07 Oct 2024 10:55:36 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id 60225240027 for ; Mon, 7 Oct 2024 16:55:27 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1728312927; bh=J2Va+8xvHG9nzzm4J4iayOZch6Caz2nJs/Tu6FUjhcU=; h=Message-ID:Date:MIME-Version:To:From:Subject:Content-Type: Content-Transfer-Encoding:From; b=pO2N42r2QRKhOUvY7H2Q1lO/4UW6tskNT7RqNC3IjqAmm8MkvOrXlkQ/XpDyny5EQ qOkyNH+stlPs017zm6EyCv0vT6N/2wk8gvWQ837alBfJAjpWZJZ0J9w2Rs0Ot5fDLW Dxud32Qe6HNQsFHifsqtAY9VL0gXYpjPHgfDtvYnJBtSTE45G1aS1lz+joLCl+OCrM ZuUJA8VFAbRH0PEj7OKhMWsijQCvs4NCG6XK8bj8L2dfOsykmBAIqMqF5TZzJVcVr8 8WVjIhfdVsRNxK4543OmUZveWsddpObOvOQxSTwQQ4K42AydIdKj8Ni/jmqyhqmnZm XPQr+Z89gDOKA== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4XMhz30MFHz9rxD for ; Mon, 7 Oct 2024 16:55:26 +0200 (CEST) Message-ID: <32a02946-4d85-472c-9035-42cfe3663a3c@posteo.net> Date: Mon, 7 Oct 2024 14:55:16 +0000 MIME-Version: 1.0 Content-Language: en-US From: Dariqq Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=185.67.36.65; envelope-from=dariqq@posteo.net; helo=mout01.posteo.de X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Scanner: mx11.migadu.com X-Migadu-Spam-Score: 3.01 X-Spam-Score: 3.01 X-Migadu-Queue-Id: 2546D8E189 X-TUID: BXgXVe+5A3YK Hi, I was writing a service which (among other things) adds a setuid/setgid binary for new account+groupn. I got errors and warnings when trying to instantiate the operating system. As a reproducer consider this os which tries to privilege the hello package to a hello user and group (I started this operating system with guix system container.): #+begin_src scheme (use-modules (gnu) (gnu services)) (use-system-modules privilege shadow) (use-package-modules base admin) (define %hello-accounts (list (user-group (name "hello") (system? #t)) (user-account (name "hello") (group "hello") (system? #t) (comment "hello user") (home-directory "/var/empty") (shell (file-append shadow "/sbin/nologin"))))) (define %hello-privileged (list (privileged-program (program (file-append hello "/bin/hello")) (setuid? #t) (setgid? #t) (user "hello") (group "hello")))) (define hello-service-type (service-type (name 'hello) (extensions (list (service-extension account-service-type (const %hello-accounts)) (service-extension privileged-program-service-type (const %hello-privileged)))) (default-value #f) (description "Hello Reproducer"))) (operating-system (host-name "hello-test") (services (cons (service hello-service-type) %base-services)) (file-systems (cons (file-system (device (file-system-label "my-root")) (mount-point "/") (type "ext4")) %base-file-systems)) (bootloader (bootloader-configuration (bootloader grub-bootloader) (targets '("/dev/sda"))))) #+end_src * when setuid? is #t (regardless of setgid?) I get a fatal error: setting up privileged programs in '/run/privileged/bin'... Backtrace: [...] In gnu/build/activation.scm: 364:57 1 (_) In unknown file: 0 (getpw "hello") ERROR: In procedure getpw: In procedure getpw: entry not found Which seems to indicate that the user does not yet exist? * when setuid? is #f, user field is commented and setgid? #t there is a nonfatal warning, however privileging fails: setting up privileged programs in '/run/privileged/bin'... warning: failed to privilege "/gnu/store/8bjy9g0cssjrw9ljz2r8ww1sma95isfj-hello-2.12.1/bin/hello": No such file or directory When the griup is changed to 0/"root" (the default) things work, i think because that account already exists. As another example: the opensmtpd-service-type adds its utilties as setgid smtpq. The systemtest is failing with the same error: https://ci.guix.gnu.org/build/6060982/details From the log warning: failed to privilege "/gnu/store/2ng9wzk5d13xcxhk7w7k5zzdm24shk91-opensmtpd-7.5.0p0/sbin/smtpctl": No such file or directory However things are very weird because I have the opensmtpd server running and working locally. maybe a weird race-condition between account-creation and setting up privileged programs? Can we ensure that the account creation always happens before privileged programs are created?