From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id kEXhDMILs19kMgAA0tVLHw (envelope-from ) for ; Mon, 16 Nov 2020 23:31:14 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id iIngCMILs197UgAAB5/wlQ (envelope-from ) for ; Mon, 16 Nov 2020 23:31:14 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 8C43E940367 for ; Mon, 16 Nov 2020 23:31:13 +0000 (UTC) Received: from localhost ([::1]:37710 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kenxn-0000Fr-Fs for larch@yhetil.org; Mon, 16 Nov 2020 18:31:11 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:53560) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kenxg-0000Fh-E7 for guix-patches@gnu.org; Mon, 16 Nov 2020 18:31:04 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:46210) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kenxe-00069U-P1 for guix-patches@gnu.org; Mon, 16 Nov 2020 18:31:04 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kenxe-0004EO-Jo for guix-patches@gnu.org; Mon, 16 Nov 2020 18:31:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#44700] services: setuid: More configurable setuid support. Resent-From: Christopher Lemmer Webber Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 16 Nov 2020 23:31:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 44700 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 44700@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.160556942113925 (code B ref -1); Mon, 16 Nov 2020 23:31:02 +0000 Received: (at submit) by debbugs.gnu.org; 16 Nov 2020 23:30:21 +0000 Received: from localhost ([127.0.0.1]:57756 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kenwy-0003bw-QD for submit@debbugs.gnu.org; Mon, 16 Nov 2020 18:30:21 -0500 Received: from lists.gnu.org ([209.51.188.17]:54694) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kenwv-0003YA-9j for submit@debbugs.gnu.org; Mon, 16 Nov 2020 18:30:19 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:53310) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kenwt-00007T-O4 for guix-patches@gnu.org; Mon, 16 Nov 2020 18:30:16 -0500 Received: from dustycloud.org ([2600:3c02::f03c:91ff:feae:cb51]:53528) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kenwr-0005sj-H4 for guix-patches@gnu.org; Mon, 16 Nov 2020 18:30:15 -0500 Received: from twig (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id B997B26650 for ; Mon, 16 Nov 2020 18:29:47 -0500 (EST) User-agent: mu4e 1.4.13; emacs 27.1 From: Christopher Lemmer Webber Date: Mon, 16 Nov 2020 18:29:11 -0500 Message-ID: <874klog9tk.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Received-SPF: pass client-ip=2600:3c02::f03c:91ff:feae:cb51; envelope-from=cwebber@dustycloud.org; helo=dustycloud.org X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -2.3 (--) X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Spam-Score: -1.01 X-TUID: Wusn7B+57fqs --=-=-= Content-Type: text/plain This patch allows for configuring the specific user, group, and whether to set the setuid and setgid bits. See also: https://lists.gnu.org/archive/html/guix-devel/2020-11/msg00369.html But I thought I'd open this here so we could track changes since this is technically independent of the postfix stuff. Anyway, patch attached. One change since the last email above is that I added support for string-based username/groups. This also needs documentation, I suppose, so that should be done. But it would be good to know if this patch looks like it's on the "right path" or not. --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-services-setuid-More-configurable-setuid-support.patch >From eadac673fb22132c555a4e1cee57a6308ecfdad4 Mon Sep 17 00:00:00 2001 From: Christopher Lemmer Webber Date: Sun, 15 Nov 2020 16:58:52 -0500 Subject: [PATCH] services: setuid: More configurable setuid support. New record with fields for setting the specific user and group, as well as specifically selecting the setuid and setgid bits, for a program within the setuid-program-service. * gnu/services.scm (): New record type. (setuid-program, make-setuid-program, setuid-program?) (setuid-program-program, stuid-program-setuid?, setuid-program-setgid?) (setuid-program-user, setuid-program-group): New variables, export them. (setuid-program-entry): New variable, a procedure used for the service-extension of activation-service-type as set up by setuid-program-service-type. Unpacks the record, handing off within the gexp to activate-setuid-programs. (setuid-program-service-type): Make use of setuid-program-entry. * gnu/build/activation.scm (activate-setuid-programs): Update to expect a ftagged list for each program entry, pre-unpacked from the record before being handed to this procedure. --- gnu/build/activation.scm | 46 +++++++++++++++++++++---------------- gnu/services.scm | 49 +++++++++++++++++++++++++++++++++++++--- 2 files changed, 73 insertions(+), 22 deletions(-) diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm index 4b67926e88..fd17ce0434 100644 --- a/gnu/build/activation.scm +++ b/gnu/build/activation.scm @@ -229,13 +229,6 @@ they already exist." (define (activate-setuid-programs programs) "Turn PROGRAMS, a list of file names, into setuid programs stored under %SETUID-DIRECTORY." - (define (make-setuid-program prog) - (let ((target (string-append %setuid-directory - "/" (basename prog)))) - (copy-file prog target) - (chown target 0 0) - (chmod target #o6555))) - (format #t "setting up setuid programs in '~a'...~%" %setuid-directory) (if (file-exists? %setuid-directory) @@ -247,18 +240,33 @@ they already exist." string. - (format (current-error-port) - "warning: failed to make '~a' setuid-root: ~a~%" - program (strerror (system-error-errno args)))))) + (for-each (match-lambda + [('setuid-program src-path setuid? setgid? user group) + (let ((uid (match user + [(? string?) (passwd:uid (getpwnam user))] + [(? integer?) user])) + (gid (match group + [(? string?) (group:gid (getgrnam user))] + [(? integer?) group]))) + (catch 'system-error + (lambda () + (let ((target (string-append %setuid-directory + "/" (basename src-path))) + (mode (+ #o0555 ; base permissions + (if setuid? #o4000 0) ; setuid bit + (if setgid? #o2000 0)))) ; setgid bit + (copy-file src-path target) + (chown target uid gid) + (chmod target mode))) + (lambda args + ;; If we fail to create a setuid program, better keep going + ;; so that we don't leave %SETUID-DIRECTORY empty or + ;; half-populated. This can happen if PROGRAMS contains + ;; incorrect file names: . + (format (current-error-port) + "warning: failed to make '~a' setuid-root: ~a~%" + (setuid-program-program program) + (strerror (system-error-errno args))))))]) programs)) (define (activate-special-files special-files) diff --git a/gnu/services.scm b/gnu/services.scm index 4b30399adc..a5b4734152 100644 --- a/gnu/services.scm +++ b/gnu/services.scm @@ -87,6 +87,14 @@ ambiguous-target-service-error-service ambiguous-target-service-error-target-type + setuid-program + setuid-program? + setuid-program-program + setuid-program-setuid? + setuid-program-setgid? + setuid-program-user + setuid-program-group + system-service-type provenance-service-type sexp->system-provenance @@ -773,13 +781,48 @@ directory." FILES must be a list of name/file-like object pairs." (service etc-service-type files)) +(define-record-type* setuid-program make-setuid-program + setuid-program? + ;; Path to program to link with setuid permissions + (program setuid-program-program) ;string + ;; Whether to set user setuid bit + (setuid? setuid-program-setuid? ;boolean + (default #t)) + ;; Whether to set user setgid bit + (setgid? setuid-program-setgid? ;boolean + (default #t)) + ;; The user this should be set to (defaults to root) + (user setuid-program-user ;integer or string + (default 0)) + ;; Group we want to set this to (defaults to root) + (group setuid-program-group ;integer or string + (default 0))) + +(define (setuid-program-entry programs) + #~(activate-setuid-programs + ;; convert into a tagged list structure as expected by + ;; activate-setuid-programs + (list #$@(map (match-lambda + [(? setuid-program? sp) + #~(list 'setuid-program + #$(setuid-program-program sp) + #$(setuid-program-setuid? sp) + #$(setuid-program-setgid? sp) + #$(setuid-program-user sp) + #$(setuid-program-group sp))] + ;; legacy, non- structure + [program + ;; TODO: Spit out a warning here? + #~(list 'setuid-program + #$program + #t #t 0 0)]) + programs)))) + (define setuid-program-service-type (service-type (name 'setuid-program) (extensions (list (service-extension activation-service-type - (lambda (programs) - #~(activate-setuid-programs - (list #$@programs)))))) + setuid-program-entry))) (compose concatenate) (extend append) (description -- 2.29.1 --=-=-=--