* bug#62725: Undefined activation ordering between ‘setuid-program-service-type’ and ‘account-service-type’
@ 2023-04-08 14:53 Brian Cully via Bug reports for GNU Guix
0 siblings, 0 replies; only message in thread
From: Brian Cully via Bug reports for GNU Guix @ 2023-04-08 14:53 UTC (permalink / raw)
To: 62725
There is currently no way to ensure that an account exists before
creating /run/setuid-programs, which means a setuid-program which
uses a custom user or group will fail to be created if setuid
activation happens before account activation.
As an example, here's a system config where I'm trying to install
‘/run/setuid-programs/dumpcap’ as setuid root with a primary group
of ‘wireshark’, also created by this config:
--8<---------------cut here---------------start------------->8---
(use-modules (gnu)
(gnu system setuid))
(use-package-modules networking)
(use-service-modules setuid)
;; TODO: make name configurable
(define %wireshark-groups
(list (user-group
(name "wireshark")
(system? #t))))
(define %wireshark-setuid-programs
(list (setuid-program
(program (file-append wireshark "/bin/dumpcap"))
(group "wireshark")
#;(mask #o550))))
(define wireshark-service-type
(service-type
(name 'wireshark)
(description "Allow use of wireshark by regular users in the
@code{wireshark} group.")
(extensions
(list (service-extension account-service-type
(const %wireshark-groups))
(service-extension setuid-program-service-type
(const %wireshark-setuid-programs))))
(default-value #f)))
(operating-system
(locale "en_US.utf8")
(timezone "America/New_York")
(keyboard-layout (keyboard-layout "us"))
(host-name "wireshark-test")
(users (cons* (user-account
(name "test")
(group "users")
(password (crypt "test" "$6$test"))
(supplementary-groups
'("wireshark")))
%base-user-accounts))
(packages
(cons*
(specification->package "wireshark")
%base-packages))
(services
(cons*
(service wireshark-service-type)
%base-services))
(bootloader
(bootloader-configuration
(bootloader grub-efi-bootloader)
(targets '("/boot/efi"))
(keyboard-layout keyboard-layout)))
(file-systems
(cons* (file-system
(mount-point "/")
(device
(uuid "14f4e958-be9e-41bb-bd25-e90a7330093c"
'btrfs))
(type "btrfs"))
(file-system
(mount-point "/boot/efi")
(device (uuid "6866-56B1" 'fat32))
(type "vfat"))
%base-file-systems)))
--8<---------------cut here---------------end--------------->8---
When trying to boot this system in a VM, I'm told that the dumpcap
binary couldn't be created because the file wasn't found. The
returned error is improperly attributed: the source file does
exist, and the error code is actually coming from getgrent(3)
which cannot find the ‘wireshark’ group.
Tracing through the activation scripts shows this to be because,
in this case, setuid-program activation happens before
account-activation.
Thanks to jpoiret for doing a lot of the investigative work here,
which I'm merely verifying through testing.
I believe the correct solution here is to move ‘setuid-program’
activation to a one-shot Shepherd service, because Shepherd allows
explicit ordering, as well as other advantages. To that end, I
have a patch which does precisely that, which I will send to the
patches list shorty.
-bjc
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2023-04-08 15:05 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-04-08 14:53 bug#62725: Undefined activation ordering between ‘setuid-program-service-type’ and ‘account-service-type’ Brian Cully via Bug reports for GNU Guix
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).