From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id wHApCriV4GAOwQAAgWs5BA (envelope-from ) for ; Sat, 03 Jul 2021 18:52:08 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id MFO4BbiV4GANUQAAB5/wlQ (envelope-from ) for ; Sat, 03 Jul 2021 16:52:08 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id A537D163FE for ; Sat, 3 Jul 2021 18:52:07 +0200 (CEST) Received: from localhost ([::1]:60778 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lzisA-0002E6-H6 for larch@yhetil.org; Sat, 03 Jul 2021 12:52:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57098) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lzis6-0002Dp-Ae for guix-patches@gnu.org; Sat, 03 Jul 2021 12:52:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:56449) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lzis6-0006Uv-3c for guix-patches@gnu.org; Sat, 03 Jul 2021 12:52:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lzis6-0006Pu-2z for guix-patches@gnu.org; Sat, 03 Jul 2021 12:52:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#44700] [PATCH v2 2/2] services: Migrate to . Resent-From: Brice Waegeneire Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 03 Jul 2021 16:52:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44700 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 44700@debbugs.gnu.org Cc: cwebber@dustycloud.org Received: via spool by 44700-submit@debbugs.gnu.org id=B44700.162533111024577 (code B ref 44700); Sat, 03 Jul 2021 16:52:02 +0000 Received: (at 44700) by debbugs.gnu.org; 3 Jul 2021 16:51:50 +0000 Received: from localhost ([127.0.0.1]:39759 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lzirm-0006OC-0V for submit@debbugs.gnu.org; Sat, 03 Jul 2021 12:51:50 -0400 Received: from relay10.mail.gandi.net ([217.70.178.230]:45533) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lzirh-0006Nb-Nh for 44700@debbugs.gnu.org; Sat, 03 Jul 2021 12:51:40 -0400 Received: (Authenticated sender: brice@waegenei.re) by relay10.mail.gandi.net (Postfix) with ESMTPSA id E1E4D240004; Sat, 3 Jul 2021 16:51:31 +0000 (UTC) From: Brice Waegeneire Date: Sat, 3 Jul 2021 18:51:27 +0200 Message-Id: <20210703165127.12316-3-brice@waegenei.re> X-Mailer: git-send-email 2.31.1 In-Reply-To: <87v98o94ob.fsf@dustycloud.org> References: <87v98o94ob.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1625331127; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=W96VzPLp3uoX9Vh/a+ha9W5SwEBjELCANbBePqx3wz0=; b=VC+r+ZlOSGRvSTzMT8BWNmcPiCseHLOjgnG+UuTTW2hXo5G10eH/Dj1PtBmHJZ9II9x4GH +ry194KBM0pvTioZ8wodlTOJYqvSeOehVyICx994rFzXfrvTCHl1qyO/s1XiwDEfKp8KoO tpW7MCRqNhBHdgcNfnnSHvJltireFCl1hmXIqcqzb7fU+mKL9dhkziqxLfgocZhx627cOm HggJeyk+dsxbhEOOT5wuVqhMl1cFSaKN3jqDJkQxXqSRmabbSdA0F5uZFYYK/D0HEqjg+/ nEPEWj3d8qjL2O3YB6dI/ArkZzh4wSplyngh8Rsn+ZatSAjV6RqdHiMJY5O33Q== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1625331127; a=rsa-sha256; cv=none; b=O1K4aULtphaw7DL12idIDB00WWkOfn9+fNbPp8fN9W6g8ATlY49nGN6qG+cZSYaVyTdM2S oXYD58O+np5PPlrU5RuuOzUui/9m2oEBjxFBZydGpFSQ2Y03peFIZWqOBwx2/Ss3j8S93i bXRb0ttjPcM+aJMDFYPY+IXsgHJL/hQAg9n8/vLHKzuUyx2Klr5ghC2+65WjBdkYQ2Lqga z7Wz7Y8AVsLLJF0z7hTxCiTYHwbblUDTdg1SaX5LVUf2TNGivJ2XyhebGw0IUFkaIq/iah X5poJgCI4luDN8FH5QzHXANQJfEaDR6LGPheIUCrgQ/g9Xuiq0oSD2qIG1BWMg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -1.41 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: A537D163FE X-Spam-Score: -1.41 X-Migadu-Scanner: scn0.migadu.com X-TUID: qdtavHq/PA/v * gnu/services/dbus.scm (dbus-setuid-programs, polkit-setuid-programs): Return setuid-programs. * gnu/services/desktop.scm (enlightenment-setuid-programs): Return setuid-programs. (%desktop-services)[mount-setuid-helpers]: Use setuid-programs. * gnu/services/docker.scm (singularity-setuid-programs): Return setuid-programs. * gnu/services/xorg.scm(screen-locker-setuid-programs): Return setuid-programs. * gnu/system.scm (%setuid-programs): Return setuid-programs. --- gnu/services/dbus.scm | 13 +++++++++---- gnu/services/desktop.scm | 26 ++++++++++++++++---------- gnu/services/docker.scm | 9 ++++++--- gnu/services/xorg.scm | 4 +++- gnu/system.scm | 31 ++++++++++++++++--------------- 5 files changed, 50 insertions(+), 33 deletions(-) diff --git a/gnu/services/dbus.scm b/gnu/services/dbus.scm index af1a1e4c3a..e7b3dac166 100644 --- a/gnu/services/dbus.scm +++ b/gnu/services/dbus.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2019, 2020 Ludovic Courtès ;;; Copyright © 2015 Sou Bunnbu ;;; Copyright © 2021 Maxime Devos +;;; Copyright © 2021 Brice Waegeneire ;;; ;;; This file is part of GNU Guix. ;;; @@ -21,6 +22,7 @@ (define-module (gnu services dbus) #:use-module (gnu services) #:use-module (gnu services shepherd) + #:use-module (gnu system setuid) #:use-module (gnu system shadow) #:use-module (gnu system pam) #:use-module ((gnu packages glib) #:select (dbus)) @@ -156,10 +158,12 @@ includes the @code{etc/dbus-1/system.d} directories of each package listed in (shell (file-append shadow "/sbin/nologin"))))) (define dbus-setuid-programs - ;; Return the file name of the setuid program that we need. + ;; Return a list of for the program that we need. (match-lambda (($ dbus services) - (list (file-append dbus "/libexec/dbus-daemon-launch-helper"))))) + (list (setuid-program + (program (file-append + dbus "/libexec/dbus-daemon-launch-helper"))))))) (define (dbus-activation config) "Return an activation gexp for D-Bus using @var{config}." @@ -335,8 +339,9 @@ tuples, are all set as environment variables when the bus daemon launches it." (define polkit-setuid-programs (match-lambda (($ polkit) - (list (file-append polkit "/lib/polkit-1/polkit-agent-helper-1") - (file-append polkit "/bin/pkexec"))))) + (map file-like->setuid-program + (list (file-append polkit "/lib/polkit-1/polkit-agent-helper-1") + (file-append polkit "/bin/pkexec")))))) (define polkit-service-type (service-type (name 'polkit) diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm index cd800fcc2b..6297b8eb0b 100644 --- a/gnu/services/desktop.scm +++ b/gnu/services/desktop.scm @@ -12,6 +12,7 @@ ;;; Copyright © 2019 David Wilson ;;; Copyright © 2020 Tobias Geerinckx-Rice ;;; Copyright © 2020 Reza Alizadeh Majd +;; Copyright © 2021 Brice Waegeneire ;;; ;;; This file is part of GNU Guix. ;;; @@ -40,6 +41,7 @@ #:use-module ((gnu system file-systems) #:select (%elogind-file-systems file-system)) #:use-module (gnu system) + #:use-module (gnu system setuid) #:use-module (gnu system shadow) #:use-module (gnu system pam) #:use-module (gnu packages glib) @@ -1034,14 +1036,15 @@ rules." (define (enlightenment-setuid-programs enlightenment-desktop-configuration) (match-record enlightenment-desktop-configuration - - (enlightenment) - (list (file-append enlightenment - "/lib/enlightenment/utils/enlightenment_sys") - (file-append enlightenment - "/lib/enlightenment/utils/enlightenment_system") - (file-append enlightenment - "/lib/enlightenment/utils/enlightenment_ckpasswd")))) + + (enlightenment) + (map file-like->setuid-program + (list (file-append enlightenment + "/lib/enlightenment/utils/enlightenment_sys") + (file-append enlightenment + "/lib/enlightenment/utils/enlightenment_system") + (file-append enlightenment + "/lib/enlightenment/utils/enlightenment_ckpasswd"))))) (define enlightenment-desktop-service-type (service-type @@ -1204,8 +1207,11 @@ or setting its password with passwd."))) ;; Allow desktop users to also mount NTFS and NFS file systems ;; without root. (simple-service 'mount-setuid-helpers setuid-program-service-type - (list (file-append nfs-utils "/sbin/mount.nfs") - (file-append ntfs-3g "/sbin/mount.ntfs-3g"))) + (map (lambda (program) + (setuid-program + (program program))) + (list (file-append nfs-utils "/sbin/mount.nfs") + (file-append ntfs-3g "/sbin/mount.ntfs-3g")))) ;; The global fontconfig cache directory can sometimes contain ;; stale entries, possibly referencing fonts that have been GC'd, diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm index be85316180..ef551480aa 100644 --- a/gnu/services/docker.scm +++ b/gnu/services/docker.scm @@ -4,6 +4,7 @@ ;;; Copyright © 2020, 2021 Maxim Cournoyer ;;; Copyright © 2020 Efraim Flashner ;;; Copyright © 2020 Jesse Dowell +;;; Copyright © 2021 Brice Waegeneire ;;; ;;; This file is part of GNU Guix. ;;; @@ -26,6 +27,7 @@ #:use-module (gnu services base) #:use-module (gnu services dbus) #:use-module (gnu services shepherd) + #:use-module (gnu system setuid) #:use-module (gnu system shadow) #:use-module (gnu packages docker) #:use-module (gnu packages linux) ;singularity @@ -195,9 +197,10 @@ bundles in Docker containers.") "-helper"))) '("action" "mount" "start"))))) - (list (file-append helpers "/singularity-action-helper") - (file-append helpers "/singularity-mount-helper") - (file-append helpers "/singularity-start-helper"))) + (map file-like->setuid-program + (list (file-append helpers "/singularity-action-helper") + (file-append helpers "/singularity-mount-helper") + (file-append helpers "/singularity-start-helper")))) (define singularity-service-type (service-type (name 'singularity) diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm index 8ffea3b9dd..d95f8beb7a 100644 --- a/gnu/services/xorg.scm +++ b/gnu/services/xorg.scm @@ -8,6 +8,7 @@ ;;; Copyright © 2020 shtwzrd ;;; Copyright © 2020 Jakub Kądziołka ;;; Copyright © 2020 Alex Griffin +;;; Copyright © 2021 Brice Waegeneire ;;; ;;; This file is part of GNU Guix. ;;; @@ -29,6 +30,7 @@ #:use-module (gnu services) #:use-module (gnu services shepherd) #:use-module (gnu system pam) + #:use-module (gnu system setuid) #:use-module (gnu system keyboard) #:use-module (gnu services base) #:use-module (gnu services dbus) @@ -681,7 +683,7 @@ reboot_cmd " shepherd "/sbin/reboot\n" #:allow-empty-passwords? empty?))))) (define screen-locker-setuid-programs - (compose list screen-locker-program)) + (compose list file-like->setuid-program screen-locker-program)) (define screen-locker-service-type (service-type (name 'screen-locker) diff --git a/gnu/system.scm b/gnu/system.scm index 96b45ede96..8a70f86457 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -1074,22 +1074,23 @@ use 'plain-file' instead~%") (define %setuid-programs ;; Default set of setuid-root programs. (let ((shadow (@ (gnu packages admin) shadow))) - (list (file-append shadow "/bin/passwd") - (file-append shadow "/bin/sg") - (file-append shadow "/bin/su") - (file-append shadow "/bin/newgrp") - (file-append shadow "/bin/newuidmap") - (file-append shadow "/bin/newgidmap") - (file-append inetutils "/bin/ping") - (file-append inetutils "/bin/ping6") - (file-append sudo "/bin/sudo") - (file-append sudo "/bin/sudoedit") - (file-append fuse "/bin/fusermount") + (map file-like->setuid-program + (list (file-append shadow "/bin/passwd") + (file-append shadow "/bin/sg") + (file-append shadow "/bin/su") + (file-append shadow "/bin/newgrp") + (file-append shadow "/bin/newuidmap") + (file-append shadow "/bin/newgidmap") + (file-append inetutils "/bin/ping") + (file-append inetutils "/bin/ping6") + (file-append sudo "/bin/sudo") + (file-append sudo "/bin/sudoedit") + (file-append fuse "/bin/fusermount") - ;; To allow mounts with the "user" option, "mount" and "umount" must - ;; be setuid-root. - (file-append util-linux "/bin/mount") - (file-append util-linux "/bin/umount")))) + ;; To allow mounts with the "user" option, "mount" and "umount" must + ;; be setuid-root. + (file-append util-linux "/bin/mount") + (file-append util-linux "/bin/umount"))))) (define %sudoers-specification ;; Default /etc/sudoers contents: 'root' and all members of the 'wheel' -- 2.31.1