unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Setuid handling?
@ 2023-04-25  1:02 Felix Lechner via Development of GNU Guix and the GNU System distribution.
  2023-04-25 12:25 ` Josselin Poiret
  0 siblings, 1 reply; 8+ messages in thread
From: Felix Lechner via Development of GNU Guix and the GNU System distribution. @ 2023-04-25  1:02 UTC (permalink / raw)
  To: Guix Devel

Hi,

After reconfiguring today (see below) I can no longer invoke a
familiar set of setuid executables:

    $ su -
    su: Not setuid and you are not root, expect this to fail
    root's password:

    $ mailq
    mailq: need root privileges

Has the handling for such executables changed?

Kind regards
Felix Lechner


* * *

  guix 23f11af
    repository URL: https://git.savannah.gnu.org/git/guix.git
    branch: master
    commit: 23f11afacdfe755ffa514a8cbf93ba1121b9db0d


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Setuid handling?
  2023-04-25  1:02 Setuid handling? Felix Lechner via Development of GNU Guix and the GNU System distribution.
@ 2023-04-25 12:25 ` Josselin Poiret
  2023-04-25 14:32   ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
  0 siblings, 1 reply; 8+ messages in thread
From: Josselin Poiret @ 2023-04-25 12:25 UTC (permalink / raw)
  To: Felix Lechner, Guix Devel

[-- Attachment #1: Type: text/plain, Size: 575 bytes --]

Hi,

Felix Lechner via "Development of GNU Guix and the GNU System
distribution." <guix-devel@gnu.org> writes:

> Hi,
>
> After reconfiguring today (see below) I can no longer invoke a
> familiar set of setuid executables:
>
>     $ su -
>     su: Not setuid and you are not root, expect this to fail
>     root's password:
>
>     $ mailq
>     mailq: need root privileges
>
> Has the handling for such executables changed?

What is `command -v su`, and `ls /run/setuid-programs/`?  Have you
rebooted since reconfiguring?

Best,
-- 
Josselin Poiret

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 682 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Setuid handling?
  2023-04-25 12:25 ` Josselin Poiret
@ 2023-04-25 14:32   ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
  2023-04-25 15:37     ` Josselin Poiret
  0 siblings, 1 reply; 8+ messages in thread
From: Felix Lechner via Development of GNU Guix and the GNU System distribution. @ 2023-04-25 14:32 UTC (permalink / raw)
  To: Josselin Poiret; +Cc: Guix Devel

Hi Josselin,

On Tue, Apr 25, 2023 at 5:26 AM Josselin Poiret <dev@jpoiret.xyz> wrote:
>
> What is `command -v su`

$ command -v su
/home/lechner/.guix-home/profile/bin/su

> and `ls /run/setuid-programs/`?

Please see below for output.

> Have you rebooted since reconfiguring?

Yes, I have---at least twice. Thanks for looking into this!

Kind regards
Felix Lechner

* * *

$ ls -l /run/setuid-programs/
total 4236
-r-sr-xr-x 1 root root    55184 Apr 24 19:55 chfn
-r-sr-xr-x 1 root root    73368 Apr 24 19:55 dbus-daemon-launch-helper
-r-sr-xr-x 1 root root    35432 Apr 24 19:55 fusermount
-r-sr-xr-x 1 root root    40560 Apr 24 19:55 fusermount3
-r-xr-sr-x 1 root smtpq  200904 Apr 24 19:55 mailq
-r-xr-sr-x 1 root smtpq  200904 Apr 24 19:55 makemap
-r-sr-xr-x 1 root root    56576 Apr 24 19:55 mount
-r-xr-sr-x 1 root smtpq  200904 Apr 24 19:55 newaliases
-r-sr-xr-x 1 root root    51664 Apr 24 19:55 newgidmap
-r-sr-xr-x 1 root root    37176 Apr 24 19:55 newgrp
-r-sr-xr-x 1 root root    51632 Apr 24 19:55 newuidmap
-r-sr-xr-x 1 root root    64824 Apr 24 19:55 passwd
-r-sr-xr-x 1 root root    70536 Apr 24 19:55 ping
-r-sr-xr-x 1 root root    61352 Apr 24 19:55 ping6
-r-sr-xr-x 1 root root    32536 Apr 24 19:55 pkexec
-r-sr-xr-x 1 root root    22048 Apr 24 19:55 polkit-agent-helper-1
-r-xr-sr-x 1 root smtpq  200904 Apr 24 19:55 send-mail
-r-xr-sr-x 1 root smtpq  200904 Apr 24 19:55 sendmail
-r-sr-xr-x 1 root root    37176 Apr 24 19:55 sg
-r-xr-sr-x 1 root smtpq  200904 Apr 24 19:55 smtpctl
-r-sr-xr-x 1 root root    45848 Apr 24 19:55 su
-r-sr-xr-x 1 root root   265032 Apr 24 19:55 sudo
-r-sr-xr-x 1 root root   265032 Apr 24 19:55 sudoedit
-r-sr-xr-x 1 root root    35832 Apr 24 19:55 umount
-r-sr-xr-x 1 root root  1776328 Apr 24 19:55 xlock


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Setuid handling?
  2023-04-25 14:32   ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
@ 2023-04-25 15:37     ` Josselin Poiret
  2023-04-25 16:21       ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
  0 siblings, 1 reply; 8+ messages in thread
From: Josselin Poiret @ 2023-04-25 15:37 UTC (permalink / raw)
  To: Felix Lechner; +Cc: Guix Devel

[-- Attachment #1: Type: text/plain, Size: 528 bytes --]

Hi Felix,

Felix Lechner <felix.lechner@lease-up.com> writes:
> $ command -v su
> /home/lechner/.guix-home/profile/bin/su

This is the crux of the issue here, it should be
/run/setuid-programs/su.  Are you on Guix system?  /run/setuid-programs/
should be at the top of your PATH.  The default /etc/profile should
ensure that, but if you do anything else with env variables it might get
shadowed.  I am not too sure of how guix home deals with this, you might
have to dig deeper there.

Best,
-- 
Josselin Poiret

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 682 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Setuid handling?
  2023-04-25 15:37     ` Josselin Poiret
@ 2023-04-25 16:21       ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
  2023-04-25 16:50         ` Leo Famulari
  2023-04-25 17:04         ` Saku Laesvuori
  0 siblings, 2 replies; 8+ messages in thread
From: Felix Lechner via Development of GNU Guix and the GNU System distribution. @ 2023-04-25 16:21 UTC (permalink / raw)
  To: Josselin Poiret; +Cc: Guix Devel

Hi Josselin,

On Tue, Apr 25, 2023 at 8:37 AM Josselin Poiret <dev@jpoiret.xyz> wrote:
>
> Are you on Guix system?

Thanks for asking! I am, and always have been.

>  /run/setuid-programs/ should be at the top of your PATH.

Well, the home profile ends up being first here:

$ echo $PATH | tr : '\n'
/home/lechner/.guix-home/profile/bin
/home/lechner/.guix-home/profile/sbin
/home/lechner/.guix-home/profile/bin
/home/lechner/.guix-home/profile/sbin
/run/setuid-programs
/home/lechner/.config/guix/current/bin
/home/lechner/.guix-profile/bin
/home/lechner/.guix-profile/sbin
/run/current-system/profile/bin
/run/current-system/profile/sbin
/gnu/store/0c1yfbxyv877mlgychfgvmk5ha2jqh52-gzip-1.10/bin
/gnu/store/8fpk2cja3f07xls48jfnpgrzrljpqivr-coreutils-8.32/bin

> The default /etc/profile should ensure that

Mine is shown below.

> but if you do anything else with env variables it might get
> shadowed.

I have buffer-env installed (I'm in EXWM) although I am not sure it
makes a difference. I also do not understand where the gzip and
coreutils references come from.

> I am not too sure of how guix home deals with this, you might
> have to dig deeper there.

Thanks for that pointer! I'm in Bash, via Eat. [1] Right now I'm not
sure where to look, so more references from anybody would be
appreciated.

Kind regards
Felix

[1] https://codeberg.org/akib/emacs-eat

* * *

$ cat /etc/profile
# Crucial variables that could be missing in the profiles' 'etc/profile'
# because they would require combining both profiles.
# FIXME: See <http://bugs.gnu.org/20255>.
export MANPATH=$HOME/.guix-profile/share/man:/run/current-system/profile/share/man
export INFOPATH=$HOME/.guix-profile/share/info:/run/current-system/profile/share/info
export XDG_DATA_DIRS=$HOME/.guix-profile/share:/run/current-system/profile/share
export XDG_CONFIG_DIRS=$HOME/.guix-profile/etc/xdg:/run/current-system/profile/etc/xdg

# Make sure libXcursor finds cursors installed into user or system
profiles.  See <http://bugs.gnu.org/24445>
export XCURSOR_PATH=$HOME/.icons:$HOME/.guix-profile/share/icons:/run/current-system/profile/share/icons

# Ignore the default value of 'PATH'.
unset PATH

# Load the system profile's settings.
GUIX_PROFILE=/run/current-system/profile ; \
. /run/current-system/profile/etc/profile

# Since 'lshd' does not use pam_env, /etc/environment must be explicitly
# loaded when someone logs in via SSH.  See <http://bugs.gnu.org/22175>.
# We need 'PATH' to be defined here, for 'cat' and 'cut'.  Do this before
# reading the user's 'etc/profile' to allow variables to be overridden.
if [ -f /etc/environment -a -n "$SSH_CLIENT" \
     -a -z "$LINUX_MODULE_DIRECTORY" ]
then
  . /etc/environment
  export `cat /etc/environment | cut -d= -f1`
fi

# Arrange so that ~/.config/guix/current comes first.
for profile in "$HOME/.guix-profile" "$HOME/.config/guix/current"
do
  if [ -f "$profile/etc/profile" ]
  then
    # Load the user profile's settings.
    GUIX_PROFILE="$profile" ; \
    . "$profile/etc/profile"
  else
    # At least define this one so that basic things just work
    # when the user installs their first package.
    export PATH="$profile/bin:$PATH"
  fi
done

# Prepend setuid programs.
export PATH=/run/setuid-programs:$PATH

# Arrange so that ~/.config/guix/current/share/info comes first.
export INFOPATH="$HOME/.config/guix/current/share/info:$INFOPATH"

# Set the umask, notably for users logging in via 'lsh'.
# See <http://bugs.gnu.org/22650>.
umask 022

# Allow Hunspell-based applications (IceCat, LibreOffice, etc.) to
# find dictionaries.
export DICPATH="$HOME/.guix-profile/share/hunspell:/run/current-system/profile/share/hunspell"

# Allow GStreamer-based applications to find plugins.
export GST_PLUGIN_PATH="$HOME/.guix-profile/lib/gstreamer-1.0"

if [ -n "$BASH_VERSION" -a -f /etc/bashrc ]
then
  # Load Bash-specific initialization code.
  . /etc/bashrc
fi


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Setuid handling?
  2023-04-25 16:21       ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
@ 2023-04-25 16:50         ` Leo Famulari
  2023-04-25 17:04         ` Saku Laesvuori
  1 sibling, 0 replies; 8+ messages in thread
From: Leo Famulari @ 2023-04-25 16:50 UTC (permalink / raw)
  To: Felix Lechner via Development of GNU Guix and the GNU System distribution.
  Cc: Josselin Poiret

On Tue, Apr 25, 2023 at 09:21:52AM -0700, Felix Lechner via Development of GNU Guix and the GNU System distribution. wrote:
> Well, the home profile ends up being first here:

That's wrong on Guix System.

Check your user's shell initialization files, such as ~/.bash_profile,
~/.profile, ~/.bashrc. If you are using something besides Bash, adjust
accordingly.

Something is changing your $PATH in a way that is broken on Guix System.


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Setuid handling?
  2023-04-25 16:21       ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
  2023-04-25 16:50         ` Leo Famulari
@ 2023-04-25 17:04         ` Saku Laesvuori
  2023-05-17  4:37           ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
  1 sibling, 1 reply; 8+ messages in thread
From: Saku Laesvuori @ 2023-04-25 17:04 UTC (permalink / raw)
  To: Felix Lechner; +Cc: Josselin Poiret, Guix Devel

[-- Attachment #1: Type: text/plain, Size: 861 bytes --]

> >  /run/setuid-programs/ should be at the top of your PATH.
> 
> Well, the home profile ends up being first here:

I, too, have my home profile as the first one. Having peeked into
/etc/profile and ~/.guix-home/setup-environment it seems like that is
the original order without any interference from the user's shell
configuration.

> > The default /etc/profile should ensure that

The default /etc/profile only ensures that when the user profile is
~/.guix-profile or ~/.config/guix/current. Guix home stores the profile
at ~/.guix-home/profile.

> Thanks for that pointer! I'm in Bash, via Eat. [1] Right now I'm not
> sure where to look, so more references from anybody would be
> appreciated.

Maybe you could remove the packages with setuid-programs from your home
configuration, but really this seems like a bug in guix home to me.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Setuid handling?
  2023-04-25 17:04         ` Saku Laesvuori
@ 2023-05-17  4:37           ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
  0 siblings, 0 replies; 8+ messages in thread
From: Felix Lechner via Development of GNU Guix and the GNU System distribution. @ 2023-05-17  4:37 UTC (permalink / raw)
  To: Saku Laesvuori; +Cc: Josselin Poiret, Guix Devel

Hi everyone,

On Tue, Apr 25, 2023 at 10:04 AM Saku Laesvuori <saku@laesvuori.fi> wrote:
>
> Maybe you could remove the packages with setuid-programs from your home
> configuration, but really this seems like a bug in guix home to me.

Maybe so, but it did not help that we ship an 'su' implementation
that, according to the Heindal maintainers, has been obsolete for five
years.

Their releases are based on a stable branch which means they rely on
distributions to drop the executables. (Debian renames them [1] but
they are useless without setuid root and may not meet the PAM policy
of the local administrator.)

Here is a patch that removes the obsolete executables from Guix. [2]
Perhaps someone with newly granted committer rights would like to have
a look at it. Congratulations, also!

I switched to building Heimdal from Git since I was not sure if or
when [3] our gnu-build-system runs autogen.sh or any invocation of
autoreconf when a ./configure script is already present (in the tarball).

Kind regards
Felix

[1] https://sources.debian.org/src/heimdal/7.8.git20221117.28daf24%2Bdfsg-2/debian/rules/#L116
[2] https://issues.guix.gnu.org/63545
[3] https://github.com/guix-mirror/guix/blob/c8e599b9391f789a8a3e2183fc8f0c2a5061ceb0/gnu/packages/networking.scm#L3250-L3255


^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2023-05-17  4:38 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-04-25  1:02 Setuid handling? Felix Lechner via Development of GNU Guix and the GNU System distribution.
2023-04-25 12:25 ` Josselin Poiret
2023-04-25 14:32   ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2023-04-25 15:37     ` Josselin Poiret
2023-04-25 16:21       ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2023-04-25 16:50         ` Leo Famulari
2023-04-25 17:04         ` Saku Laesvuori
2023-05-17  4:37           ` Felix Lechner via Development of GNU Guix and the GNU System distribution.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).