From: maxim.cournoyer@gmail.com
To: 41763@debbugs.gnu.org
Cc: Christopher Baines <mail@cbaines.net>
Subject: [bug#41763] services: opensmtpd: Fix the setgid problem for the smtpctl utility.
Date: Mon, 08 Jun 2020 13:46:37 -0400 [thread overview]
Message-ID: <87eeqpih6q.fsf@hurd.i-did-not-set--mail-host-address--so-tickle-me> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 708 bytes --]
Hello!
The following patches provide a mean to specify a user and group for a
setuid program, and uses that to fix a setgid permission issue in the
context of the opensmtpd service.
Christopher, you should be able to leverage this new facility to
configure the uid/gid of the sendmail program to that of the smtpq user,
like this:
--8<---------------cut here---------------start------------->8---
(operating-system)
[...]
(setuid-programs (cons (list (file-append sendmail "/usr/sbin/sendmail") "smtpq")
%setuid-programs))
--8<---------------cut here---------------end--------------->8---
The smtpq user is created as part of the OpenSMTPD service definition.
Thank you,
[-- Attachment #1.2: 0001-services-Allow-configuring-the-ownership-of-setuid-p.patch --]
[-- Type: text/x-patch, Size: 7620 bytes --]
From e1b8840da16fb531f6607892ebf08f2d5472b962 Mon Sep 17 00:00:00 2001
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Date: Sun, 7 Jun 2020 23:01:49 -0400
Subject: [PATCH 1/3] services: Allow configuring the ownership of setuid
programs.
Fixes <http://issues.guix.info/41485>.
* gnu/build/activation.scm (activate-setuid-programs): Update doc. Allow a
program entry to be a list that may include a user and a group.
[make-setuid-program] New USER and GROUP keyword parameters. Move the error
handling inside the MAKE-SETUID-PROGRAM helper procedure.
* gnu/services.scm (setuid-program-service-type): Update doc.
* doc/guix.texi (Setuid Programs): Update doc.
---
doc/guix.texi | 17 +++++++++++---
gnu/build/activation.scm | 48 +++++++++++++++++++++++++---------------
gnu/services.scm | 17 ++++++++++++--
3 files changed, 59 insertions(+), 23 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 056bf011f6..83d7344bd8 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -26429,14 +26429,25 @@ should be setuid root.
The @code{setuid-programs} field of an @code{operating-system}
declaration contains a list of G-expressions denoting the names of
-programs to be setuid-root (@pxref{Using the Configuration System}).
-For instance, the @command{passwd} program, which is part of the Shadow
-package, can be designated by this G-expression (@pxref{G-Expressions}):
+programs to be setuid (@pxref{Using the Configuration System}). The
+user and group ownership of the setuid program default to @code{root},
+but can be specified by declaring them along the file name of the
+program. For instance, the @command{passwd} program, which is part of
+the Shadow package, can be designated as a setuid-root porgram by this
+G-expression (@pxref{G-Expressions}):
@example
#~(string-append #$shadow "/bin/passwd")
@end example
+As a second example, the @command{smtpctl} program, which is part of the
+OpenSMTPD package, requires to have its group set to @samp{smtpq}.
+This can be specified using:
+
+@example
+(list (file-append opensmtpd "/bin/smtpctl") "smtpq" "smtpq")
+@end example
+
A default set of setuid programs is defined by the
@code{%setuid-programs} variable of the @code{(gnu system)} module.
diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm
index 30f5e87d5a..6be3664d44 100644
--- a/gnu/build/activation.scm
+++ b/gnu/build/activation.scm
@@ -1,6 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2020 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -227,14 +228,28 @@ they already exist."
"/run/setuid-programs")
(define (activate-setuid-programs programs)
- "Turn PROGRAMS, a list of file names, into setuid programs stored under
-%SETUID-DIRECTORY."
- (define (make-setuid-program prog)
+ "Turn PROGRAMS, a list of file names and/or of nested lists composed of a
+file name, a user and a group, into setuid programs stored under
+%SETUID-DIRECTORY. The user and group default to \"root\" and affect the
+ownership of the associated file name."
+ (define* (make-setuid-program prog #:key (user "root") (group user))
(let ((target (string-append %setuid-directory
"/" (basename prog))))
- (copy-file prog target)
- (chown target 0 0)
- (chmod target #o6555)))
+ (catch 'system-error
+ (lambda ()
+ (let ((uid (passwd:uid (getpwnam user)))
+ (gid (group:gid (getgrnam group))))
+ (copy-file prog target)
+ (chown target uid gid)
+ (chmod target #o6555)))
+ (lambda args
+ ;; If we fail to create a setuid program, better keep going
+ ;; so that we don't leave %SETUID-DIRECTORY empty or
+ ;; half-populated. This can happen if PROGRAMS contains
+ ;; incorrect file names: <https://bugs.gnu.org/38800>.
+ (format (current-error-port)
+ "warning: failed to make '~a' setuid (~a:~a): ~a~%"
+ prog user group (strerror (system-error-errno args)))))))
(format #t "setting up setuid programs in '~a'...~%"
%setuid-directory)
@@ -247,18 +262,15 @@ they already exist."
string<?))
(mkdir-p %setuid-directory))
- (for-each (lambda (program)
- (catch 'system-error
- (lambda ()
- (make-setuid-program program))
- (lambda args
- ;; If we fail to create a setuid program, better keep going
- ;; so that we don't leave %SETUID-DIRECTORY empty or
- ;; half-populated. This can happen if PROGRAMS contains
- ;; incorrect file names: <https://bugs.gnu.org/38800>.
- (format (current-error-port)
- "warning: failed to make '~a' setuid-root: ~a~%"
- program (strerror (system-error-errno args))))))
+ (for-each (match-lambda
+ ((program user group)
+ (make-setuid-program program #:user user #:group group))
+ ((program user)
+ (make-setuid-program program #:user user))
+ ((program)
+ (make-setuid-program program))
+ (program
+ (make-setuid-program program)))
programs))
(define (activate-special-files special-files)
diff --git a/gnu/services.scm b/gnu/services.scm
index 2e4648bf78..19a1c38ceb 100644
--- a/gnu/services.scm
+++ b/gnu/services.scm
@@ -1,6 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2016 Chris Marusich <cmmarusich@gmail.com>
+;;; Copyright © 2020 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -681,12 +682,24 @@ FILES must be a list of name/file-like object pairs."
(list (service-extension activation-service-type
(lambda (programs)
#~(activate-setuid-programs
- (list #$@programs))))))
+ (quote (#$@programs)))))))
(compose concatenate)
(extend append)
(description
"Populate @file{/run/setuid-programs} with the specified
-executables, making them setuid-root.")))
+executables, making them setuid. The PROGRAMS entries extending the
+setuid-program-service-type is a list of file-like objects. Alternatively to
+file-like objects, nested lists containing a file-like object, a user and a
+group can be used to control the ownership of the associated file.
+
+Example:
+
+(list (file-append shadow \"/bin/passwd\")
+ (list (file-append opensmtpd \"/bin/smtpctl\") \"root\" \"smtpq\"))
+
+The @command{passwd} program has both its user and group set to the
+default \"root\" while the @command{smtpctl} program has its user set to
+\"root\" and its group set to \"smtpq\".")))
(define (packages->profile-entry packages)
"Return a system entry for the profile containing PACKAGES."
--
2.26.2
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.3: 0002-services-opensmtpd-Remove-unused-binding.patch --]
[-- Type: text/x-patch, Size: 1538 bytes --]
From 01c1ab83bf6f5a8158a993de2fa0048f6d172a73 Mon Sep 17 00:00:00 2001
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Date: Sun, 7 Jun 2020 23:49:25 -0400
Subject: [PATCH 2/3] services: opensmtpd: Remove unused binding.
* gnu/services/mail.scm (opensmtpd-activation): Remove unused SMTPD variable
binding.
---
gnu/services/mail.scm | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm
index cfcaf4601b..7c49d99e9f 100644
--- a/gnu/services/mail.scm
+++ b/gnu/services/mail.scm
@@ -1665,15 +1665,14 @@ match from local for any action outbound
(define opensmtpd-activation
(match-lambda
(($ <opensmtpd-configuration> package config-file)
- (let ((smtpd (file-append package "/sbin/smtpd")))
- #~(begin
- (use-modules (guix build utils))
- ;; Create mbox and spool directories.
- (mkdir-p "/var/mail")
- (mkdir-p "/var/spool/smtpd")
- (chmod "/var/spool/smtpd" #o711)
- (mkdir-p "/var/spool/mail")
- (chmod "/var/spool/mail" #o711))))))
+ #~(begin
+ (use-modules (guix build utils))
+ ;; Create mbox and spool directories.
+ (mkdir-p "/var/mail")
+ (mkdir-p "/var/spool/smtpd")
+ (chmod "/var/spool/smtpd" #o711)
+ (mkdir-p "/var/spool/mail")
+ (chmod "/var/spool/mail" #o711)))))
(define %opensmtpd-pam-services
(list (unix-pam-service "smtpd")))
--
2.26.2
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.4: 0003-services-opensmtpd-Fix-the-setgid-problem-for-the-sm.patch --]
[-- Type: text/x-patch, Size: 1702 bytes --]
From 52a1a031e6a7c0196cf17d0bd32061d02b453df8 Mon Sep 17 00:00:00 2001
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Date: Sun, 7 Jun 2020 23:52:00 -0400
Subject: [PATCH 3/3] services: opensmtpd: Fix the setgid problem for the
smtpctl utility.
The utility was complaining that it wasn't setgid to the group ID of the
"smtpq" group.
* gnu/services/mail.scm (opensmtpd-service-type): Extend the
setuid-program-service-type with the smtpctl program.
---
gnu/services/mail.scm | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm
index 7c49d99e9f..96efbd951d 100644
--- a/gnu/services/mail.scm
+++ b/gnu/services/mail.scm
@@ -1662,6 +1662,11 @@ match from local for any action outbound
(home-directory "/var/empty")
(shell (file-append shadow "/sbin/nologin")))))
+(define (opensmtpd-setuid-programs opensmtpd-configuration)
+ (let ((smtpctl (file-append (opensmtpd-configuration-package
+ opensmtpd-configuration) "/sbin/smtpctl")))
+ (list (list smtpctl "smtpq"))))
+
(define opensmtpd-activation
(match-lambda
(($ <opensmtpd-configuration> package config-file)
@@ -1683,6 +1688,8 @@ match from local for any action outbound
(extensions
(list (service-extension account-service-type
(const %opensmtpd-accounts))
+ (service-extension setuid-program-service-type
+ opensmtpd-setuid-programs)
(service-extension activation-service-type
opensmtpd-activation)
(service-extension pam-root-service-type
--
2.26.2
[-- Attachment #1.5: Type: text/plain, Size: 7 bytes --]
Maxim
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
next reply other threads:[~2020-06-08 17:47 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-08 17:46 maxim.cournoyer [this message]
2020-06-11 19:20 ` [bug#41763] services: opensmtpd: Fix the setgid problem for the smtpctl utility Christopher Baines
2020-06-15 15:12 ` Brice Waegeneire
2021-01-03 14:14 ` Jonathan Brielmaier
2021-01-03 14:49 ` Tobias Geerinckx-Rice via Guix-patches via
2021-07-16 4:24 ` bug#41763: " Maxim Cournoyer
[not found] ` <72969b174e0439d4add1191861cb6fb7@tobias.gr>
2021-07-16 5:37 ` [bug#41763] " Tobias Geerinckx-Rice via Guix-patches via
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87eeqpih6q.fsf@hurd.i-did-not-set--mail-host-address--so-tickle-me \
--to=maxim.cournoyer@gmail.com \
--cc=41763@debbugs.gnu.org \
--cc=mail@cbaines.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).