From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-patches-bounces+larch=yhetil.org@gnu.org>
Received: from mp1 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id MHBLBaqg5145OQAA0tVLHw
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 15 Jun 2020 16:24:10 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1 with LMTPS
	id 2NQkAaqg5176ZQAAbx9fmQ
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 15 Jun 2020 16:24:10 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 6F7229408E9
	for <larch@yhetil.org>; Mon, 15 Jun 2020 16:24:09 +0000 (UTC)
Received: from localhost ([::1]:55072 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	id 1jkru4-0003DM-EG
	for larch@yhetil.org; Mon, 15 Jun 2020 12:24:08 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:54806)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1jkrty-0003D7-SR
 for guix-patches@gnu.org; Mon, 15 Jun 2020 12:24:02 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:35730)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1jkrty-0005WH-J4
 for guix-patches@gnu.org; Mon, 15 Jun 2020 12:24:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1jkrty-0000or-Dh
 for guix-patches@gnu.org; Mon, 15 Jun 2020 12:24:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#41875] [PATCH] system: Add 'sg' and 'newgrp' to %SETUID-PROGRAMS.
Resent-From: Brice Waegeneire <brice@waegenei.re>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Mon, 15 Jun 2020 16:24:02 +0000
Resent-Message-ID: <handler.41875.B.15922382173115@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 41875
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 41875@debbugs.gnu.org
X-Debbugs-Original-To: guix-patches@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.15922382173115
 (code B ref -1); Mon, 15 Jun 2020 16:24:02 +0000
Received: (at submit) by debbugs.gnu.org; 15 Jun 2020 16:23:37 +0000
Received: from localhost ([127.0.0.1]:47276 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1jkrtY-0000oA-Ow
 for submit@debbugs.gnu.org; Mon, 15 Jun 2020 12:23:36 -0400
Received: from lists.gnu.org ([209.51.188.17]:57158)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <brice@waegenei.re>) id 1jkrtX-0000ny-9F
 for submit@debbugs.gnu.org; Mon, 15 Jun 2020 12:23:35 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:54612)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <brice@waegenei.re>) id 1jkrtX-00035y-3x
 for guix-patches@gnu.org; Mon, 15 Jun 2020 12:23:35 -0400
Received: from relay12.mail.gandi.net ([217.70.178.232]:43881)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <brice@waegenei.re>) id 1jkrtV-0005Si-I2
 for guix-patches@gnu.org; Mon, 15 Jun 2020 12:23:34 -0400
Received: from localhost (luy13-1-78-237-113-178.fbx.proxad.net
 [78.237.113.178]) (Authenticated sender: brice@waegenei.re)
 by relay12.mail.gandi.net (Postfix) with ESMTPSA id A715A200006
 for <guix-patches@gnu.org>; Mon, 15 Jun 2020 16:23:31 +0000 (UTC)
From: Brice Waegeneire <brice@waegenei.re>
Date: Mon, 15 Jun 2020 18:23:28 +0200
Message-Id: <20200615162328.25429-1-brice@waegenei.re>
X-Mailer: git-send-email 2.26.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=217.70.178.232; envelope-from=brice@waegenei.re; 
 helo=relay12.mail.gandi.net
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/06/15 12:18:57
X-ACL-Warn: Detected OS   = Linux 3.11 and newer
X-Spam_score_int: -25
X-Spam_score: -2.6
X-Spam_bar: --
X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=_AUTOLEARN
X-Spam_action: no action
X-Spam-Score: -1.6 (-)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-Spam-Score: -2.6 (--)
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+larch=yhetil.org@gnu.org>
X-Scanner: scn0
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org
X-Spam-Score: 3.99
X-TUID: rm/nTT1DWHEb

* gnu/system.scm (%setuid-programs): Add 'sg' and 'newgrp'.
---

Without it 'newgrp' is unusable:

--8<---------------cut here---------------start------------->8---
$ whoami
bricewge
$ cat /etc/group | grep wireshark
wireshark:x:970:bricewge
$ groups
users libvirt adbusers plugdev kvm lp netdev audio video input dialout wheel
$ newgrp wireshark
setgroups: Operation not permitted
setgid: Operation not permitted
--8<---------------cut here---------------end--------------->8---

I also added 'sg' since, in the shadow package, it's a symlink to 'newgrp'.

 gnu/system.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/system.scm b/gnu/system.scm
index 06bbc9e9c8..3e3d1927c2 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -932,7 +932,9 @@ use 'plain-file' instead~%")
   ;; Default set of setuid-root programs.
   (let ((shadow (@ (gnu packages admin) shadow)))
     (list (file-append shadow "/bin/passwd")
+          (file-append shadow "/bin/sg")
           (file-append shadow "/bin/su")
+          (file-append shadow "/bin/newgrp")
           (file-append shadow "/bin/newuidmap")
           (file-append shadow "/bin/newgidmap")
           (file-append inetutils "/bin/ping")
-- 
2.26.2