From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=)
Subject: bug#28751: GuixSD setuid-programs handling creates setuid binaries in
	the store
Date: Sun, 08 Oct 2017 21:25:15 +0200
Message-ID: <87h8v9cuhw.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:44805)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1e1HD9-0005oh-9G
	for bug-guix@gnu.org; Sun, 08 Oct 2017 15:26:04 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1e1HD8-000458-GV
	for bug-guix@gnu.org; Sun, 08 Oct 2017 15:26:03 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:47984)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1e1HD8-000452-D5
	for bug-guix@gnu.org; Sun, 08 Oct 2017 15:26:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1e1HD8-0002EX-53
	for bug-guix@gnu.org; Sun, 08 Oct 2017 15:26:02 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.28751.B.15074907298539@debbugs.gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:44759)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1e1HCS-0005mx-J3
	for bug-guix@gnu.org; Sun, 08 Oct 2017 15:25:21 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1e1HCR-0003qC-Gw
	for bug-guix@gnu.org; Sun, 08 Oct 2017 15:25:20 -0400
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:42637)
	by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@gnu.org>)
	id 1e1HCR-0003q8-D0
	for bug-guix@gnu.org; Sun, 08 Oct 2017 15:25:19 -0400
Received: from vpn-0-27.aquilenet.fr ([2a01:474:4:27::]:39830 helo=ribbon)
	by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
	(Exim 4.82) (envelope-from <ludo@gnu.org>) id 1e1HCP-0003cd-US
	for bug-guix@gnu.org; Sun, 08 Oct 2017 15:25:19 -0400
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: 28751@debbugs.gnu.org

On GuixSD, =E2=80=98activate-setuid-programs=E2=80=99 in (gnu build activat=
ion) would
create setuid-root binaries under /gnu/store for all the programs listed
under =E2=80=98setuid-programs=E2=80=99 in the =E2=80=98operating-system=E2=
=80=99 declaration.

=E2=80=98activate-setuid-programs=E2=80=99 in (gnu build activation) does t=
his:

  (define (make-setuid-program prog)
    (let ((target (string-append %setuid-directory
                                 "/" (basename prog))))
      (link-or-copy prog target)
      (chown target 0 0)
      (chmod target #o6555)))

which amounts to:

  1. ln /gnu/store/=E2=80=A6/bin/su /run/setuid-programs/su
  2. chmod +s /run/setuid-programs/su

meaning that *both* =E2=80=98su=E2=80=99 files become setuid root.

This leads to setuid-root files in the store, which is a violation of a
fundamental assumption that setuid files cannot exist in the store.

Detailed announcement and fix coming.

Ludo=E2=80=99.