From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id +Fw/Av3kfmRiKgEASxT56A (envelope-from ) for ; Tue, 06 Jun 2023 09:49:17 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id CPAtAv3kfmRNTAEAauVa8A (envelope-from ) for ; Tue, 06 Jun 2023 09:49:17 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 9B061104E5 for ; Tue, 6 Jun 2023 09:49:16 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1q6RRA-0004Pl-1R; Tue, 06 Jun 2023 03:49:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1q6RR8-0004Pc-Lu for bug-guix@gnu.org; Tue, 06 Jun 2023 03:49:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1q6RR8-0007mk-E8 for bug-guix@gnu.org; Tue, 06 Jun 2023 03:49:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1q6RR7-00049q-VW for bug-guix@gnu.org; Tue, 06 Jun 2023 03:49:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#63904: Can't setuid programs to anybody but root Resent-From: Edouard Klein Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 06 Jun 2023 07:49:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 63904 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 63904@debbugs.gnu.org Cc: dev@jpoiret.xyz, me@tobias.gr, zimon.toutoune@gmail.com, othacehe@gnu.org, ludo@gnu.org, mail@cbaines.net, rekado@elephly.net Received: via spool by 63904-submit@debbugs.gnu.org id=B63904.168603771915951 (code B ref 63904); Tue, 06 Jun 2023 07:49:01 +0000 Received: (at 63904) by debbugs.gnu.org; 6 Jun 2023 07:48:39 +0000 Received: from localhost ([127.0.0.1]:50837 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1q6RQk-00049C-Qw for submit@debbugs.gnu.org; Tue, 06 Jun 2023 03:48:39 -0400 Received: from sender11-op-o11.zoho.eu ([31.186.226.225]:17164) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1q6RQi-00048w-Et for 63904@debbugs.gnu.org; Tue, 06 Jun 2023 03:48:37 -0400 ARC-Seal: i=1; a=rsa-sha256; t=1686037704; cv=none; d=zohomail.eu; s=zohoarc; b=kvlNDd8j6UQW4TAEr/85epQf5yyW7eLGMKIf352VnxXm/5LSoGpB3iYJxxOwUVqzsWHMAT6p4TQUc26N1OyOysb9Qjb0TDMBWJc5DBnGcEUdordEevVG9JNzDoY80/R8kuv/6qSa0bT48gi6HmJsquTRaZkYOFFAGS2ioZpND7o= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.eu; s=zohoarc; t=1686037704; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=KZF//piAu6ZWYR/KuwQyVhZudHoxJGCArSI8BlBFSdk=; b=em/y/0sSGflzqBST1KmGW6DQQ6LWqsFr9fBVmswtsPgS3QHwKxCbN2mZQvjOXum+NIZcrCEdwHSNodEUnMvB138GY6ZAKj2tkgscfap+ZQKlcSjVFYhT6O3s1aFbWx1sKhmYo5PF08NeDhIF/o1FJMtQKyZaQXL0mEHg+OJM6qU= ARC-Authentication-Results: i=1; mx.zohomail.eu; dkim=pass header.i=rdklein.fr; spf=pass smtp.mailfrom=edou@rdklein.fr; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1686037704; s=zoho; d=rdklein.fr; i=edou@rdklein.fr; h=References:From:From:To:To:Subject:Subject:Date:Date:CC:In-reply-to:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-Id:Reply-To:Cc; bh=KZF//piAu6ZWYR/KuwQyVhZudHoxJGCArSI8BlBFSdk=; b=Ubkw77UC0Tx/K5n3FOa/zS737WVykPGpqYjx7VyTbtyrL7hGo/h75cPvD0nKDvir fEvA4qriRnSmDk8gErKXtQezMFgShKMt1mCATz8plEkU4GiWeDg1vUU6cUYC9/ulRup FnpnPbtC/9Vf3LHNujG1mX20/3Md8k3CXYQVpRKuE46TsfWKLSKBBQvExc6AfbZG69e q0YhXlwq2WF7NZzvVysKaBsvCNatsbwxYQtwESG8JDPjOVJk8t8bT/4vwlKF6AI8NHU u+enl7m0GofTzOCh/obn8FduyEczH487WJeEGkkOS+5NOmgjwrG0ID7khMp4tH7zLW3 hGPZkAdJtg== Received: from schwarzy (lfbn-idf3-1-667-244.w86-252.abo.wanadoo.fr [86.252.237.244]) by mx.zoho.eu with SMTPS id 1686037702922129.0735847706785; Tue, 6 Jun 2023 09:48:22 +0200 (CEST) References: <87h6rmtdzk.fsf@rdklein.fr> User-agent: mu4e 1.8.13; emacs 28.2 From: Edouard Klein Date: Tue, 06 Jun 2023 09:21:43 +0200 In-reply-to: <87h6rmtdzk.fsf@rdklein.fr> Message-ID: <878rcxt4jt.fsf@rdklein.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-ZohoMailClient: External X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1686037756; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=KZF//piAu6ZWYR/KuwQyVhZudHoxJGCArSI8BlBFSdk=; b=LizPZngnF1p2eUB0iHUJBg3WXOWlIc92OX3xadReKuArCBL9OPzD1ZyH8IhP5awDVr3s6H r6rbuz4k/g6LnQOA1HD9iaT7zYQ7j042X0ljKHLr6o4/6KI8UP/+qk78RaDgt8bUh/f7GM ttU7PdVpOO2eIY1P6/gakhsopPYyLCSIZ/HG+OxBAFH6yE+5lNGnznROBLcekNkalqdI+Q q6edSW/TtkkbcYPjHz6JVTf5jP8e32VwMaWr/hTgF0Pirl7xmVEuHh+OQ6OhE8cYPaJSG5 GsYKpL/07QLrnhIUWzm0RnrZLO+q/2dtpXT2oxm0ez7lhmN7uCpWfiNdgS+eTA== ARC-Authentication-Results: i=2; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=rdklein.fr header.s=zoho header.b=Ubkw77UC; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; arc=reject ("signature check failed: fail, {[1] = sig:zohomail.eu:reject}") ARC-Seal: i=2; s=key1; d=yhetil.org; t=1686037756; a=rsa-sha256; cv=fail; b=n6h3wQLFwwbxYumpAU54B51uunB+iPCm/KpREZhOSVJ/tXW8jR9Jc83uGwyDpRx1aI4DXt RMImadXMMNLYSGO+lWHQLDgqUKgVySrGRvNW1nfOFYPT2y1qg4x//86m3ZBWALzqGumrst HBQb81FanTQqPO/oBVeAvf2/o72zKcbWE6vcJmQj/2m2IYdcODABSd6X1F1Dc+91nZhASo wO2cWzFllvTedXpxUgiB0Hzi8lTPF1viIuxwEOcJ/tb7zCsudxe5dc09rLWYZsuDKE3oDy sgb2YpPrzqAbyvfd3yhXkqJkmUlTw14WcWN78nzrc3TAi5eeHGlf3NY8CiNJmA== X-Migadu-Scanner: scn1.migadu.com X-Migadu-Spam-Score: 0.31 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=rdklein.fr header.s=zoho header.b=Ubkw77UC; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; arc=reject ("signature check failed: fail, {[1] = sig:zohomail.eu:reject}") X-Migadu-Queue-Id: 9B061104E5 X-Spam-Score: 0.31 X-TUID: bEJVkx1FbkP/ Dear Guix, CCing the core team, I tried tracking down the bug. The fatidic call to getpw was easy enough to find: The make-setuid-program procedure is given a numeric uid argument. This numeric uid is found from the user name string by activate-setuid-program which calls getpwnam (gnu/build/activation.scm:317). Now this gave me an idea to sidestep the bug: See below the modified part of the minimal reproductible example: I just force-assign a uid to the user I want to setuid to, and give this uid instead of the username to the setuid record. This is cumbersome, but it does the job: the call to getpw is averted and I get a system in which I can setuid to somebody other than root. However, I'm lost as to how to solve the bug for good. I tried to understand the call stack, but I can't figure out how in the folding service machinery the services are ordered. My intuition is that I need to make it so the folding of non-root setuids happen after the folding of user and groups (I also have the intuition that root-setuids must happen before, because folding users and group may require that root setuid binaries are there, but I have not been able to verify that). Here is what I was able to find. getpw is called by activate-setuid-program activate-setuid-program is called in setuid-program->activation-gexp setuid-program->activation-gexp is the activation procedure for setuid-prog= ram-service-type setuid-program-service-type is itself an extension of activation-service-ty= pe I'm trying to follow how the service DAG is constructed, and then walked, from there, but I don't think I have a very clear model of how it works in my head. I think the devil may be in: (define (compute-boot-script _ gexps) ;; Reverse GEXPS so that extensions appear in the boot script in the right ;; order. That is, user extensions would come first, and extensions added ;; by 'essential-services' (e.g., running shepherd) are guaranteed to come ;; last. (gexp->file "boot" ;; Clean up and activate the system, then spawn shepherd. #~(begin #$@(reverse gexps)))) Any help there would be greatly appreciated. Thanks in advance, Cheers, Edouard. (operating-system (host-name "minimal-container") (timezone "UTC") (locale "en_US.utf8") (bootloader (bootloader-configuration (bootloader grub-bootloader))) (file-systems %base-file-systems) (users (cons (user-account (name "suc") (group "users") (uid 1042)) %base-user-accounts)) (setuid-programs (cons (setuid-program (program (file-append coreutils "/bin/true")) ;; (user "suc") (user 1042) ) %setuid-programs)) (packages %base-packages) (services %base-services)) edk@beaver-labs.com writes: > Dear Guix developers, > > At the end of the email is the code for a minimal container, which tries > to setuid =3Dtrue=3D, the simplest binary of all, to user suc. > > When line 26 is commented, and the container is built and run with: > sudo $(guix system container mwe.scm) > > One can login to the container and run: > ls -l /run/setuid-programs/true > > which yields: > -r-sr-xr-x 1 root root 39488 Jun 5 09:59 /run/setuid-programs/true > as it should. > > Also, one can fire up guile and run (getpw "suc") and get in return: > $1 =3D #("suc" "x" 1000 998 "" "/home/suc" "/gnu/store/m6c5hgqg569mbcjjbp= 8l8m7q82ascpdl-bash-5.1.16/bin/bash") > > However, when line 26 is uncommented, the container can be built, but > when run fails with the error below. > My hunch is that things are done out of order, with setuid binaries > being set up before user creation, but I have no way of checking that. > > Please do not hesitate to ping me if I can be of help. > > Cheers, > > Edouard. > > The error: > system container is running as PID 9825 > WARNING: (guile-user): imported module (guix build utils) overrides core = binding `delete' > Run 'sudo guix container exec 9825 /run/current-system/profile/bin/bash -= -login' > or run 'sudo nsenter -a -t 9825' to get a shell into it. > > WARNING: (guile-user): imported module (guix build utils) overrides core = binding `delete' > making '/gnu/store/mnc9lfpn01frmffqa31jy3c381dkgrwl-system' the current s= ystem... > WARNING: (guile-user): imported module (guix build utils) overrides core = binding `delete' > setting up setuid programs in '/run/setuid-programs'... > Backtrace: > 12 (primitive-load "/gnu/store/bygckv7p4091xqykjnkay4qnazn=E2= =80=A6") > In gnu/build/linux-container.scm: > 300:8 11 (call-with-temporary-directory #) > 397:16 10 (_ "/tmp/guix-directory.B9dmTN") > 62:6 9 (call-with-clean-exit #) > In unknown file: > 8 (primitive-load "/gnu/store/mnc9lfpn01frmffqa31jy3c381d=E2= =80=A6") > In ice-9/eval.scm: > 619:8 7 (_ #f) > In unknown file: > 6 (primitive-load "/gnu/store/dib6wfh2r52dfaydz78n33267qx=E2= =80=A6") > In srfi/srfi-1.scm: > 634:9 5 (for-each # ("/gnu/sto=E2=80= =A6" =E2=80=A6)) > In unknown file: > 4 (primitive-load "/gnu/store/ypwqsx11k2qmxkscmzan6srq87q=E2= =80=A6") > In srfi/srfi-1.scm: > 634:9 3 (for-each # =E2=80=A6) > In ice-9/boot-9.scm: > 1747:15 2 (with-exception-handler # =E2=80=A6) > In gnu/build/activation.scm: > 317:57 1 (_) > In unknown file: > 0 (getpw "suc") > > ERROR: In procedure getpw: > In procedure getpw: entry not found > > > > The code > > (use-modules > (guix gexp) > (gnu system) > (gnu bootloader) > (gnu bootloader grub) > (gnu system file-systems) > (gnu services) > (gnu services base) > (gnu system setuid) > (gnu packages base)) > > (operating-system > (host-name "minimal-container") > (timezone "UTC") > (locale "en_US.utf8") > (bootloader (bootloader-configuration > (bootloader grub-bootloader))) > (file-systems %base-file-systems) > (users (cons > (user-account > (name "suc") > (group "users")) > %base-user-accounts)) > (setuid-programs > (cons (setuid-program (program (file-append coreutils "/bin/true")) > (user "suc") > ) > %setuid-programs)) > (packages %base-packages) > (services %base-services))