* [bug#40922] gnu: udevil: Fix loading of setuid-programs.
@ 2020-04-28 6:52 Raghav Gururajan
2020-05-01 12:24 ` Danny Milosavljevic
2020-05-01 14:38 ` bug#40922: " Danny Milosavljevic
0 siblings, 2 replies; 4+ messages in thread
From: Raghav Gururajan @ 2020-04-28 6:52 UTC (permalink / raw)
To: 40922
[-- Attachment #1: Type: text/plain, Size: 0 bytes --]
[-- Attachment #2: 0001-gnu-udevil-Fix-loading-of-setuid-programs.patch --]
[-- Type: text/x-patch, Size: 2507 bytes --]
From de62f6773a75bffff632f70fa3062b3668462543 Mon Sep 17 00:00:00 2001
From: Raghav Gururajan <raghavgururajan@disroot.org>
Date: Tue, 28 Apr 2020 02:29:36 -0400
Subject: [PATCH] gnu: udevil: Fix loading of setuid-programs.
* gnu/packages/disk.scm (udevil): Fix loading of setuid-programs.
[1] Patched references to mount, umount, losetup and setfacl; as udevil
expects these programs to have uid set as root.
[2] Patched references to udevil; as udevil itself and devmon expects
udevil to have uid set as root.
---
gnu/packages/disk.scm | 26 ++++++++++++++++++++++----
1 file changed, 22 insertions(+), 4 deletions(-)
diff --git a/gnu/packages/disk.scm b/gnu/packages/disk.scm
index b7d3b9d954..2b9ba8e38d 100644
--- a/gnu/packages/disk.scm
+++ b/gnu/packages/disk.scm
@@ -103,16 +103,34 @@
(build-system gnu-build-system)
(arguments
`(#:configure-flags
- (list "--disable-systemd"
- (string-append "--sysconfdir="
- (assoc-ref %outputs "out")
- "/etc"))
+ (list
+ "--disable-systemd"
+ (string-append "--sysconfdir="
+ (assoc-ref %outputs "out")
+ "/etc")
+ ;; udevil expects these programs to be run with uid set as root.
+ ;; user has to manually add these programs to setuid-programs.
+ ;; mount and umount are default setuid-programs in guix system.
+ "--with-mount-prog=/run/setuid-programs/mount"
+ "--with-umount-prog=/run/setuid-programs/umount"
+ "--with-losetup-prog=/run/setuid-programs/losetup"
+ "--with-setfacl-prog=/run/setuid-programs/setfacl")
#:phases
(modify-phases %standard-phases
(add-after 'unpack 'remove-root-reference
(lambda _
(substitute* "src/Makefile.in"
(("-o root -g root") ""))
+ #t))
+ (add-after 'unpack 'patch-udevil-reference
+ ;; udevil expects itself to be run with uid set as root.
+ ;; devmon also expects udevil to be run with uid set as root.
+ ;; user has to manually add udevil to setuid-programs.
+ (lambda _
+ (substitute* "src/udevil.c"
+ (("/usr/bin/udevil") "/run/setuid-programs/udevil"))
+ (substitute* "src/devmon"
+ (("`which udevil 2>/dev/null`") "/run/setuid-programs/udevil"))
#t)))))
(native-inputs
`(("intltool" ,intltool)
--
2.26.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [bug#40922] gnu: udevil: Fix loading of setuid-programs.
2020-04-28 6:52 [bug#40922] gnu: udevil: Fix loading of setuid-programs Raghav Gururajan
@ 2020-05-01 12:24 ` Danny Milosavljevic
2020-05-01 14:05 ` Raghav Gururajan
2020-05-01 14:38 ` bug#40922: " Danny Milosavljevic
1 sibling, 1 reply; 4+ messages in thread
From: Danny Milosavljevic @ 2020-05-01 12:24 UTC (permalink / raw)
To: Raghav Gururajan; +Cc: 40922
[-- Attachment #1: Type: text/plain, Size: 641 bytes --]
Hi Raghav,
On Tue, 28 Apr 2020 02:52:28 -0400
Raghav Gururajan <raghavgururajan@disroot.org> wrote:
> [1] Patched references to mount, umount, losetup and setfacl; as udevil
> expects these programs to have uid set as root.
> [2] Patched references to udevil; as udevil itself and devmon expects
> udevil to have uid set as root.
Why are both needed at the same time? If udevil is setuid root, then the
other tools are invoked as root anyway, right? Or does udevil drop root
privileges? (short look into src/udevil.c suggests yes)
Is there a description from upstream how all that is supposed to work?
Remainder OK.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* [bug#40922] gnu: udevil: Fix loading of setuid-programs.
2020-05-01 12:24 ` Danny Milosavljevic
@ 2020-05-01 14:05 ` Raghav Gururajan
0 siblings, 0 replies; 4+ messages in thread
From: Raghav Gururajan @ 2020-05-01 14:05 UTC (permalink / raw)
To: Danny Milosavljevic; +Cc: 40922
Hi Danny!
> Why are both needed at the same time? If udevil is setuid root, then the
> other tools are invoked as root anyway, right? Or does udevil drop root
> privileges? (short look into src/udevil.c suggests yes)
Yes, both are needed at same time. I tried them alternatively, did not work.
As you mentioned, it drops previleges (file:src/udevil.c ; line:5061).
> Is there a description from upstream how all that is supposed to work?
There is some description in "Set SUID" section of README file
(https://github.com/IgnorantGuru/udevil/blob/master/README).
> Remainder OK.
Thanks!
Regards,
RG.
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#40922: gnu: udevil: Fix loading of setuid-programs.
2020-04-28 6:52 [bug#40922] gnu: udevil: Fix loading of setuid-programs Raghav Gururajan
2020-05-01 12:24 ` Danny Milosavljevic
@ 2020-05-01 14:38 ` Danny Milosavljevic
1 sibling, 0 replies; 4+ messages in thread
From: Danny Milosavljevic @ 2020-05-01 14:38 UTC (permalink / raw)
To: Raghav Gururajan; +Cc: 40922-done
[-- Attachment #1: Type: text/plain, Size: 75 bytes --]
Pushed to guix master as commit 8546f4da5b3677001dbda6b3a116f5bdc44ea5c0.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-05-01 14:41 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-04-28 6:52 [bug#40922] gnu: udevil: Fix loading of setuid-programs Raghav Gururajan
2020-05-01 12:24 ` Danny Milosavljevic
2020-05-01 14:05 ` Raghav Gururajan
2020-05-01 14:38 ` bug#40922: " Danny Milosavljevic
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).