From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:c151::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id mKevBvYWgWStQQEASxT56A (envelope-from ) for ; Thu, 08 Jun 2023 01:47:02 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:c151::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id oKW9BvYWgWQveQAA9RJhRA (envelope-from ) for ; Thu, 08 Jun 2023 01:47:02 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0DC1C37E48 for ; Thu, 8 Jun 2023 01:47:01 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=beaver-labs.com header.s=zoho header.b="J7ily/S9"; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; arc=reject ("signature check failed: fail, {[1] = sig:zohomail.eu:reject}") ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1686181621; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=NMOOxRNDvc/8qu6qh1tRj342bgr8O55R3i85Aat4H9M=; b=KUiSpYcPyGJ/rmg4zFaCc3V9QO69/JcbQ3m2muPdqZv+sOZXyDcRcaLbKVw4KJUoncr1Mw RM7xuoSG6zWMY1Y2rJ6AeXwoNoc12mlrrtRia8Robn3qlt6x2KgG25+ANdaKMID9VVq9iK S9N/fTXIll83ckMvpGP7G7fGraSed3XJ5m1gr76H4XfGEGarRACX3+Cy/6FhlAdDuA+s1F n7hVS5ezvydaMWjh1nrOutfupi5ytJx+Sijg407nSB1/B2Vs78ARJUuqBX8H1zNHUCrd4n DMS4yWeTQ6OQcNU84MvAqEoTZAwb9gV2HHESUxfUUB5VGzV2fM6fstRE4quxQQ== ARC-Authentication-Results: i=2; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=beaver-labs.com header.s=zoho header.b="J7ily/S9"; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; arc=reject ("signature check failed: fail, {[1] = sig:zohomail.eu:reject}") ARC-Seal: i=2; s=key1; d=yhetil.org; t=1686181621; a=rsa-sha256; cv=fail; b=nJ3+WlYtF7/degiJQ0xZdW+khJ0rQnUujYAs5I5Thy9DQbcNeCPj7B+EQ8MsejIcn9yfbU kvkWA78JpQiIQO+RA6s1MNx4VHN2xc0d9A4r7RI54OJPz5emC39WroF3Y+TLWB7bTQMFGs ETbiZ4nWB7U8TB9xpecCpkvl7yvDdukV3fLSSWbiZxFSKepnkxlnjzDuJSgetGeLIQT4Du xZGJpQ+BS955E0hSnFGkUaNMjidiOp+twdrJl18AOwxmJW98l/N2DkKMXKoDlxY3vfe2cM JydMXMSVq/JeYH4i4J14vYY8oz3Wa1rNGgqc/6JyJ91/9wKWq0paqooa1jzpaw== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1q72rZ-00085d-Vl; Wed, 07 Jun 2023 19:46:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1q67Cx-0001JI-0w for bug-guix@gnu.org; Mon, 05 Jun 2023 06:13:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1q67Cw-00023F-Nc for bug-guix@gnu.org; Mon, 05 Jun 2023 06:13:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1q67Cw-0005cZ-Hd for bug-guix@gnu.org; Mon, 05 Jun 2023 06:13:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#63904: Can't setuid programs to anybody but root Resent-From: edk@beaver-labs.com Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 05 Jun 2023 10:13:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 63904 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 63904@debbugs.gnu.org X-Debbugs-Original-To: bug-guix Received: via spool by submit@debbugs.gnu.org id=B.168595995321564 (code B ref -1); Mon, 05 Jun 2023 10:13:02 +0000 Received: (at submit) by debbugs.gnu.org; 5 Jun 2023 10:12:33 +0000 Received: from localhost ([127.0.0.1]:48226 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1q67CT-0005bj-BI for submit@debbugs.gnu.org; Mon, 05 Jun 2023 06:12:33 -0400 Received: from lists.gnu.org ([209.51.188.17]:55612) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1q67CR-0005bc-UU for submit@debbugs.gnu.org; Mon, 05 Jun 2023 06:12:32 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1q67CR-0001EB-Kf for bug-guix@gnu.org; Mon, 05 Jun 2023 06:12:31 -0400 Received: from sender11-op-o11.zoho.eu ([31.186.226.225]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1q67CP-0001wF-ER for bug-guix@gnu.org; Mon, 05 Jun 2023 06:12:31 -0400 ARC-Seal: i=1; a=rsa-sha256; t=1685959945; cv=none; d=zohomail.eu; s=zohoarc; b=M5Zg1sjjj5OWoanhJiAcDvQoNnJsTD/bq4TlxA7/bbu2SkgwmvUR/rrABpbS2EQeBr58Rn1+sm5InfB007fr970NWipYlLXzRN5L05Sv33bx9GkGg5F3Uk6LD2iTa1msezeUZjnNJkd+Jp5WvzBA4A+PQ9XXtoEmNJT0ZHmdqAM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.eu; s=zohoarc; t=1685959945; h=Content-Type:Content-Transfer-Encoding:Date:From:MIME-Version:Message-ID:Subject:To; bh=NMOOxRNDvc/8qu6qh1tRj342bgr8O55R3i85Aat4H9M=; b=Zwlsxw5lXW0yjm4BaSTPA2N2GdaRIqTdxa7IDdSLxuYFVtC051laTnNG5AwHZb7XtTQ9LAbhWiOykj/GVNbNCRLQ/F/XipyKHrx9KGFd4zOd5kvnjObpn+hU4eVcnLeYf5IKEpwobF/bEB07+Cijn6YTwXWZCzcGx07RJG6XnKs= ARC-Authentication-Results: i=1; mx.zohomail.eu; dkim=pass header.i=beaver-labs.com; spf=pass smtp.mailfrom=edk@beaver-labs.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1685959945; s=zoho; d=beaver-labs.com; i=edk@beaver-labs.com; h=From:From:To:To:Subject:Subject:Date:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-Id:Reply-To:Cc; bh=NMOOxRNDvc/8qu6qh1tRj342bgr8O55R3i85Aat4H9M=; b=J7ily/S9sAHCrEd1HrMRQVp5V0iTnge3kHDb7BFCFHgkSc94BGgA6Dn7ALgneEKE UWfBWyBQVg6QvhyD+o29fWCweMYed58Y8nVpN7ms3w4rGEH5ydSSPwIlaLh0GBW22Qy vUzvGcqmSIMSoI2xQ7rFUdZRRZb9ZG96Ix0aQh5Fvzzs05JKBEUOQrPRqP0uETM3YaT d7BQOdSOt36yK83+xcKx0uIdlmM2xg0Kn+16pXu74Hpy59Y4QifeAVqkTyMMMB8muua rNJCe9dVXUQrZBnKqS0YsHcaKj3qeakAgd3OsHmvtTFqtuLhQ9fSiOzEOgbLCcBzL+p nrIZMMLGuQ== Received: from schwarzy (lfbn-idf3-1-667-244.w86-252.abo.wanadoo.fr [86.252.237.244]) by mx.zoho.eu with SMTPS id 1685959942720218.76548991927484; Mon, 5 Jun 2023 12:12:22 +0200 (CEST) User-agent: mu4e 1.8.13; emacs 28.2 From: edk@beaver-labs.com Date: Mon, 05 Jun 2023 12:00:18 +0200 Message-ID: <87h6rmtdzk.fsf@rdklein.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-ZohoMailClient: External Received-SPF: pass client-ip=31.186.226.225; envelope-from=edk@beaver-labs.com; helo=sender11-op-o11.zoho.eu X-Spam_score_int: -30 X-Spam_score: -3.1 X-Spam_bar: --- X-Spam_report: (-3.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Mailman-Approved-At: Wed, 07 Jun 2023 19:46:47 -0400 X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: UNKNOWN X-Migadu-Flow: FLOW_IN X-Spam-Score: 0.96 X-Migadu-Queue-Id: 0DC1C37E48 X-Migadu-Scanner: in3.migadu.com X-Migadu-Spam-Score: 0.96 X-TUID: Ju48UYuXjK43 Dear Guix developers, At the end of the email is the code for a minimal container, which tries to setuid =3Dtrue=3D, the simplest binary of all, to user suc. When line 26 is commented, and the container is built and run with: sudo $(guix system container mwe.scm) One can login to the container and run: ls -l /run/setuid-programs/true which yields: -r-sr-xr-x 1 root root 39488 Jun 5 09:59 /run/setuid-programs/true as it should. Also, one can fire up guile and run (getpw "suc") and get in return: $1 =3D #("suc" "x" 1000 998 "" "/home/suc" "/gnu/store/m6c5hgqg569mbcjjbp8l= 8m7q82ascpdl-bash-5.1.16/bin/bash") However, when line 26 is uncommented, the container can be built, but when run fails with the error below. My hunch is that things are done out of order, with setuid binaries being set up before user creation, but I have no way of checking that. Please do not hesitate to ping me if I can be of help. Cheers, Edouard. The error: system container is running as PID 9825 WARNING: (guile-user): imported module (guix build utils) overrides core bi= nding `delete' Run 'sudo guix container exec 9825 /run/current-system/profile/bin/bash --l= ogin' or run 'sudo nsenter -a -t 9825' to get a shell into it. WARNING: (guile-user): imported module (guix build utils) overrides core bi= nding `delete' making '/gnu/store/mnc9lfpn01frmffqa31jy3c381dkgrwl-system' the current sys= tem... WARNING: (guile-user): imported module (guix build utils) overrides core bi= nding `delete' setting up setuid programs in '/run/setuid-programs'... Backtrace: 12 (primitive-load "/gnu/store/bygckv7p4091xqykjnkay4qnazn=E2=80= =A6") In gnu/build/linux-container.scm: 300:8 11 (call-with-temporary-directory #) 397:16 10 (_ "/tmp/guix-directory.B9dmTN") 62:6 9 (call-with-clean-exit #) In unknown file: 8 (primitive-load "/gnu/store/mnc9lfpn01frmffqa31jy3c381d=E2=80= =A6") In ice-9/eval.scm: 619:8 7 (_ #f) In unknown file: 6 (primitive-load "/gnu/store/dib6wfh2r52dfaydz78n33267qx=E2=80= =A6") In srfi/srfi-1.scm: 634:9 5 (for-each # ("/gnu/sto=E2=80=A6"= =E2=80=A6)) In unknown file: 4 (primitive-load "/gnu/store/ypwqsx11k2qmxkscmzan6srq87q=E2=80= =A6") In srfi/srfi-1.scm: 634:9 3 (for-each # =E2=80=A6) In ice-9/boot-9.scm: 1747:15 2 (with-exception-handler # =E2=80=A6) In gnu/build/activation.scm: 317:57 1 (_) In unknown file: 0 (getpw "suc") ERROR: In procedure getpw: In procedure getpw: entry not found The code (use-modules (guix gexp) (gnu system) (gnu bootloader) (gnu bootloader grub) (gnu system file-systems) (gnu services) (gnu services base) (gnu system setuid) (gnu packages base)) (operating-system (host-name "minimal-container") (timezone "UTC") (locale "en_US.utf8") (bootloader (bootloader-configuration (bootloader grub-bootloader))) (file-systems %base-file-systems) (users (cons (user-account (name "suc") (group "users")) %base-user-accounts)) (setuid-programs (cons (setuid-program (program (file-append coreutils "/bin/true")) (user "suc") ) %setuid-programs)) (packages %base-packages) (services %base-services))