From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id 0eQDBeO6sl+cGwAA0tVLHw (envelope-from ) for ; Mon, 16 Nov 2020 17:46:11 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id WEFNAOO6sl+rfAAA1q6Kng (envelope-from ) for ; Mon, 16 Nov 2020 17:46:11 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C10F09403AA for ; Mon, 16 Nov 2020 17:46:10 +0000 (UTC) Received: from localhost ([::1]:41180 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1keiZt-0004pI-MG for larch@yhetil.org; Mon, 16 Nov 2020 12:46:09 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:54910) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1keiZe-0004nO-NR for guix-devel@gnu.org; Mon, 16 Nov 2020 12:45:54 -0500 Received: from dustycloud.org ([50.116.34.160]:55478) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1keiZc-0007tj-Pg; Mon, 16 Nov 2020 12:45:54 -0500 Received: from twig (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id 0C3B326650; Mon, 16 Nov 2020 12:45:27 -0500 (EST) References: <877dtj753p.fsf@gmail.com> <871rja3hdv.fsf@dustycloud.org> <87eena1tl5.fsf@dustycloud.org> <87wo12zhob.fsf@dustycloud.org> <874knxonu8.fsf@gnu.org> <87lff3heun.fsf@dustycloud.org> User-agent: mu4e 1.4.13; emacs 27.1 From: Christopher Lemmer Webber Subject: Re: Setuid programs In-reply-to: <87lff3heun.fsf@dustycloud.org> Date: Mon, 16 Nov 2020 12:44:51 -0500 Message-ID: <874klpgprg.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Received-SPF: pass client-ip=50.116.34.160; envelope-from=cwebber@dustycloud.org; helo=dustycloud.org X-detected-operating-system: by eggs.gnu.org: First seen = 2020/11/16 12:45:51 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] X-Spam_score_int: -8 X-Spam_score: -0.9 X-Spam_bar: / X-Spam_report: (-0.9 / 5.0 requ) BAYES_00=-1.9, MISSING_HEADERS=1.021, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org, Maxim Cournoyer Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Spam-Score: 0.99 X-TUID: sBZ6+gcWLmWn --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Christopher Lemmer Webber writes: > Ludovic Court=C3=A8s writes: > >> Hi, >> >> G=C3=A1bor Boskovits skribis: >> >>> I have two reasons for that: backwards compatibility is really >>> important, so we should not break it, and I believe this would not be >>> hard to do. >>> On the other hand it would be nice to have a more integrated backend, >>> and move as many things into the services infrastructure as practical, >>> and I think this is a good candidate for that. Wdyt? >> >> There=E2=80=99s already =E2=80=98setuid-program-service-type=E2=80=99. = I think the way forward >> would be to: >> >> 1. Define the record type you propose. >> >> 2. Have =E2=80=98setuid-program-service-type=E2=80=99 accept that thro= ugh its >> extensions. When it receives something else, it should >> transparently turn it into a record, for backward >> compatibility, and emit a deprecation warning. >> >> 3. Document the OS =E2=80=98setuid-programs=E2=80=99 field as taking a= list of such >> records. >> >> How does that sound? >> >> Thanks, >> Ludo=E2=80=99. > > This sounds like a good plan. I'm taking a stab at it, but there's a > good chance I'll get it wrong, so review will be seriously needed. > Let's find out how I do! I've attached a patch that includes my plan for the setuid stuff. I could submit this to guix-patches I suppose if that would be better. But I wonder if I should actually just rebase the wip-postfix on top of master, apply this, and then start working on setting up postfix to make use of it. What do you think of this approach? --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-services-setuid-More-specific-setuid-support.patch >From cab9f7c017fb2ea0c8dc80084c3c269fa8e85378 Mon Sep 17 00:00:00 2001 From: Christopher Lemmer Webber Date: Sun, 15 Nov 2020 16:58:52 -0500 Subject: [PATCH] services: setuid: More specific setuid support. New record with fields for setting the specific user and group, as well as specifically selecting the setuid and setgid bits, for a program within the setuid-program-service. * gnu/services.scm (): New record type. (setuid-program, make-setuid-program, setuid-program?) (setuid-program-program, stuid-program-setuid?, setuid-program-setgid?) (setuid-program-user, setuid-program-group): New variables, export them. (setuid-program-entry): New variable, a procedure used for the service-extension of activation-service-type as set up by setuid-program-service-type. Unpacks the record, handing off within the gexp to activate-setuid-programs. (setuid-program-service-type): Make use of setuid-program-entry. * gnu/build/activation.scm (activate-setuid-programs): Update to expect a ftagged list for each program entry, pre-unpacked from the record before being handed to this procedure. --- gnu/build/activation.scm | 40 ++++++++++++++++---------------- gnu/services.scm | 49 +++++++++++++++++++++++++++++++++++++--- 2 files changed, 67 insertions(+), 22 deletions(-) diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm index 4b67926e88..a2bdfd5aa5 100644 --- a/gnu/build/activation.scm +++ b/gnu/build/activation.scm @@ -229,13 +229,6 @@ they already exist." (define (activate-setuid-programs programs) "Turn PROGRAMS, a list of file names, into setuid programs stored under %SETUID-DIRECTORY." - (define (make-setuid-program prog) - (let ((target (string-append %setuid-directory - "/" (basename prog)))) - (copy-file prog target) - (chown target 0 0) - (chmod target #o6555))) - (format #t "setting up setuid programs in '~a'...~%" %setuid-directory) (if (file-exists? %setuid-directory) @@ -247,18 +240,27 @@ they already exist." string. - (format (current-error-port) - "warning: failed to make '~a' setuid-root: ~a~%" - program (strerror (system-error-errno args)))))) + (for-each (match-lambda + [('setuid-program src-path setuid? setgid? uid gid) + (catch 'system-error + (lambda () + (let ((target (string-append %setuid-directory + "/" (basename src-path))) + (mode (+ #o0555 ; base permissions + (if setuid? #o4000 0) ; setuid bit + (if setgid? #o2000 0)))) ; setgid bit + (copy-file src-path target) + (chown target uid gid) + (chmod target mode))) + (lambda args + ;; If we fail to create a setuid program, better keep going + ;; so that we don't leave %SETUID-DIRECTORY empty or + ;; half-populated. This can happen if PROGRAMS contains + ;; incorrect file names: . + (format (current-error-port) + "warning: failed to make '~a' setuid-root: ~a~%" + (setuid-program-program program) + (strerror (system-error-errno args)))))]) programs)) (define (activate-special-files special-files) diff --git a/gnu/services.scm b/gnu/services.scm index 4b30399adc..7e03808489 100644 --- a/gnu/services.scm +++ b/gnu/services.scm @@ -87,6 +87,14 @@ ambiguous-target-service-error-service ambiguous-target-service-error-target-type + setuid-program + setuid-program? + setuid-program-program + setuid-program-setuid? + setuid-program-setgid? + setuid-program-user + setuid-program-group + system-service-type provenance-service-type sexp->system-provenance @@ -773,13 +781,48 @@ directory." FILES must be a list of name/file-like object pairs." (service etc-service-type files)) +(define-record-type* setuid-program make-setuid-program + setuid-program? + ;; Path to program to link with setuid permissions + (program setuid-program-program) ;string + ;; Whether to set user setuid bit + (setuid? setuid-program-setuid? ;boolean + (default #t)) + ;; Whether to set user setgid bit + (setgid? setuid-program-setgid? ;boolean + (default #t)) + ;; The user this should be set to (defaults to root) + (user setuid-program-user ;integer + (default 0)) + ;; Group we want to set this to (defaults to root) + (group setuid-program-group ;integer + (default 0))) + +(define (setuid-program-entry programs) + #~(activate-setuid-programs + ;; convert into a tagged list structure as expected by + ;; activate-setuid-programs + (list #$@(map (match-lambda + [(? setuid-program? sp) + #~(list 'setuid-program + #$(setuid-program-program sp) + #$(setuid-program-setuid? sp) + #$(setuid-program-setgid? sp) + #$(setuid-program-user sp) + #$(setuid-program-group sp))] + ;; legacy, non- structure + [program + ;; TODO: Spit out a warning here? + #~(list 'setuid-program + #$program + #t #t 0 0)]) + programs)))) + (define setuid-program-service-type (service-type (name 'setuid-program) (extensions (list (service-extension activation-service-type - (lambda (programs) - #~(activate-setuid-programs - (list #$@programs)))))) + setuid-program-entry))) (compose concatenate) (extend append) (description -- 2.29.1 --=-=-=--