From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id 8ACwJ/7UAmEY6AAAgWs5BA (envelope-from ) for ; Thu, 29 Jul 2021 18:19:10 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id aC9AI/7UAmEKXAAAbx9fmQ (envelope-from ) for ; Thu, 29 Jul 2021 16:19:10 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0CB041F43F for ; Thu, 29 Jul 2021 18:19:10 +0200 (CEST) Received: from localhost ([::1]:43122 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1m98kX-0005EJ-7p for larch@yhetil.org; Thu, 29 Jul 2021 12:19:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60634) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m98kQ-0005Dv-TA for guix-patches@gnu.org; Thu, 29 Jul 2021 12:19:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:46568) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1m98kQ-0000zl-M8 for guix-patches@gnu.org; Thu, 29 Jul 2021 12:19:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1m98kQ-00029i-F3 for guix-patches@gnu.org; Thu, 29 Jul 2021 12:19:02 -0400 Subject: bug#44700: [PATCH v3 2/2] services: Migrate to . Resent-From: Christine Lemmer-Webber Original-Sender: "Debbugs-submit" Resent-To: guix-patches@gnu.org Resent-Date: Thu, 29 Jul 2021 16:19:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: cc-closed 44700 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: Brice Waegeneire Cc: 44700-done@debbugs.gnu.org Mail-Followup-To: 44700@debbugs.gnu.org, cwebber@dustycloud.org, cwebber@dustycloud.org Received: via spool by 44700-done@debbugs.gnu.org id=D44700.16275755278261 (code D ref 44700); Thu, 29 Jul 2021 16:19:02 +0000 Received: (at 44700-done) by debbugs.gnu.org; 29 Jul 2021 16:18:47 +0000 Received: from localhost ([127.0.0.1]:58112 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1m98k3-000292-CX for submit@debbugs.gnu.org; Thu, 29 Jul 2021 12:18:47 -0400 Received: from dustycloud.org ([50.116.34.160]:57450) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1m98jy-00028s-8o for 44700-done@debbugs.gnu.org; Thu, 29 Jul 2021 12:18:38 -0400 Received: from twig (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id E987C2673B; Thu, 29 Jul 2021 12:18:33 -0400 (EDT) References: <87v95oeq58.fsf@dustycloud.org> <20210706200320.27113-3-brice@waegenei.re> <87sg0qc98z.fsf@dustycloud.org> <87mtq5ksxz.fsf@dustycloud.org> <87k0l9ksdj.fsf@dustycloud.org> User-agent: mu4e 1.4.15; emacs 27.2 From: Christine Lemmer-Webber In-reply-to: <87k0l9ksdj.fsf@dustycloud.org> Date: Thu, 29 Jul 2021 12:18:33 -0400 Message-ID: <87h7gdks9y.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1627575550; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-to: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=WNN1gb3O1gn7YVSmordidGkZGBAYc0uk/z4cj9pz2Yc=; b=ooRvwmWMtSwEaCqt1bGI0IRh1pjClUHPp8e3d9SLPhKnRE31oxYmM8+9ipq4HMW8W1z+P/ H1jLMHooXZH7izmuP1Rbhls5+H1frVaF64Fw+l4LG+dbLJe+Aw+hyj6l+IV3e3lhS3l13h el81VRACI0434fNK1GhxKE2dypMcLzU9xJkA/dlhngdI4DMECdbq4c2FfWqPkGd9uVCO2m gUT0cD7aPYmKUF/TUFLWgRzsTzEyfE64FDfvgMSrYulB1hfnNB2mQB0Nr5oGLGBic/Jl1n otmJ2QYYNvzmMXibEmT1kejZWl14j7u94aS+tUwrACXRAOD/URyiGW3Pe/hsWw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1627575550; a=rsa-sha256; cv=none; b=SyILqlP0Ic0D9N/qpiCe3DthqZC+AG5X4siljfpLXG/gRNC/PxL+iRDJIkYATyR9Bmc5tn Ba5I4MXbyXBa6h1aDb9IGk3SIzWTSL83N1ZycMbzaYxblhWl75Du+jF4pvREjPoYuEtXsR WqHkqbd+blL30FIocAFCM15sYWzYTYOvjAlydluE6AtqIZ7HVr0Vfx1fHMgGp3/rlxsm4d YXYGJbrwmnErN8A/VE5Dwugx7ajdikOAiQYm3bBySh353YTM0tK8hJTVkEWGrRMqtRCrbg r3V4qqR7a96xVXwrT+YdSy9mw2x4ZGedO2S5EZQR6WGkYnpOhOPMqM7yiVE1ug== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -2.41 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 0CB041F43F X-Spam-Score: -2.41 X-Migadu-Scanner: scn0.migadu.com X-TUID: CPjFZG72ibTZ Oh, forgot to close it. Christine Lemmer-Webber writes: > Got the all clear to push to master. Rebased and pushed! :) > > Christine Lemmer-Webber writes: > >> I rebased the patches and created the branch origin/wip-setuid. >> (I also updated my name... again. Should be the final update.) >> >> Looks like the tests all pass. I don't want to let this bitrot again. >> Does anyone have an objection to me pushing this to master? >> >> If nobody objects I'm gonna do it! >> >> >> Chris Lemmer-Webber writes: >> >>> Looks good to me. I'd say push it... let's not let this bitrot again! >>> >>> Brice Waegeneire writes: >>> >>>> * gnu/services/dbus.scm (dbus-setuid-programs, polkit-setuid-programs): >>>> Return setuid-programs. >>>> * gnu/services/desktop.scm (enlightenment-setuid-programs): Return >>>> setuid-programs. >>>> (%desktop-services)[mount-setuid-helpers]: Use setuid-programs. >>>> * gnu/services/docker.scm (singularity-setuid-programs): Return >>>> setuid-programs. >>>> * gnu/services/xorg.scm(screen-locker-setuid-programs): Return >>>> setuid-programs. >>>> * gnu/system.scm (%setuid-programs): Return setuid-programs. >>>> * doc/guix.texi (Setuid Programs, operating-system Reference): Replace >>>> 'list of G-expressions' with 'list of '. >>>> --- >>>> doc/guix.texi | 19 +++++++++++-------- >>>> gnu/services/dbus.scm | 13 +++++++++---- >>>> gnu/services/desktop.scm | 26 ++++++++++++++++---------- >>>> gnu/services/docker.scm | 9 ++++++--- >>>> gnu/services/xorg.scm | 4 +++- >>>> gnu/system.scm | 31 ++++++++++++++++--------------- >>>> 6 files changed, 61 insertions(+), 41 deletions(-) >>>> >>>> diff --git a/doc/guix.texi b/doc/guix.texi >>>> index f7a72b9885..7919332521 100644 >>>> --- a/doc/guix.texi >>>> +++ b/doc/guix.texi >>>> @@ -13860,8 +13860,8 @@ Linux @dfn{pluggable authentication module} (P= AM) services. >>>> @c FIXME: Add xref to PAM services section. >>>>=20=20 >>>> @item @code{setuid-programs} (default: @code{%setuid-programs}) >>>> -List of string-valued G-expressions denoting setuid programs. >>>> -@xref{Setuid Programs}. >>>> +List of @code{}. @xref{Setuid Programs}, for more >>>> +information. >>>>=20=20 >>>> @item @code{sudoers-file} (default: @code{%sudoers-specification}) >>>> @cindex sudoers file >>>> @@ -32421,13 +32421,15 @@ the store, we let the system administrator @= emph{declare} which programs >>>> should be setuid root. >>>>=20=20 >>>> The @code{setuid-programs} field of an @code{operating-system} >>>> -declaration contains a list of G-expressions denoting the names of >>>> -programs to be setuid-root (@pxref{Using the Configuration System}). >>>> -For instance, the @command{passwd} program, which is part of the Shad= ow >>>> -package, can be designated by this G-expression (@pxref{G-Expressions= }): >>>> +declaration contains a list of @code{} denoting the >>>> +names of programs to have a setuid or setgid bit set (@pxref{Using the >>>> +Configuration System}). For instance, the @command{passwd} program, >>>> +which is part of the Shadow package, with a setuid root can be >>>> +designated like this: >>>>=20=20 >>>> @example >>>> -#~(string-append #$shadow "/bin/passwd") >>>> +(setuid-program >>>> + (program (file-append #$shadow "/bin/passwd"))) >>>> @end example >>>>=20=20 >>>> @deftp {Data Type} setuid-program >>>> @@ -32458,7 +32460,8 @@ A default set of setuid programs is defined by= the >>>> @code{%setuid-programs} variable of the @code{(gnu system)} module. >>>>=20=20 >>>> @defvr {Scheme Variable} %setuid-programs >>>> -A list of G-expressions denoting common programs that are setuid-root. >>>> +A list of @code{} denoting common programs that are >>>> +setuid-root. >>>>=20=20 >>>> The list includes commands such as @command{passwd}, @command{ping}, >>>> @command{su}, and @command{sudo}. >>>> diff --git a/gnu/services/dbus.scm b/gnu/services/dbus.scm >>>> index af1a1e4c3a..e7b3dac166 100644 >>>> --- a/gnu/services/dbus.scm >>>> +++ b/gnu/services/dbus.scm >>>> @@ -2,6 +2,7 @@ >>>> ;;; Copyright =C2=A9 2013, 2014, 2015, 2016, 2017, 2019, 2020 Ludovic= Court=C3=A8s >>>> ;;; Copyright =C2=A9 2015 Sou Bunnbu >>>> ;;; Copyright =C2=A9 2021 Maxime Devos >>>> +;;; Copyright =C2=A9 2021 Brice Waegeneire >>>> ;;; >>>> ;;; This file is part of GNU Guix. >>>> ;;; >>>> @@ -21,6 +22,7 @@ >>>> (define-module (gnu services dbus) >>>> #:use-module (gnu services) >>>> #:use-module (gnu services shepherd) >>>> + #:use-module (gnu system setuid) >>>> #:use-module (gnu system shadow) >>>> #:use-module (gnu system pam) >>>> #:use-module ((gnu packages glib) #:select (dbus)) >>>> @@ -156,10 +158,12 @@ includes the @code{etc/dbus-1/system.d} director= ies of each package listed in >>>> (shell (file-append shadow "/sbin/nologin"))))) >>>>=20=20 >>>> (define dbus-setuid-programs >>>> - ;; Return the file name of the setuid program that we need. >>>> + ;; Return a list of for the program that we need. >>>> (match-lambda >>>> (($ dbus services) >>>> - (list (file-append dbus "/libexec/dbus-daemon-launch-helper"))))) >>>> + (list (setuid-program >>>> + (program (file-append >>>> + dbus "/libexec/dbus-daemon-launch-helper"))))))) >>>>=20=20 >>>> (define (dbus-activation config) >>>> "Return an activation gexp for D-Bus using @var{config}." >>>> @@ -335,8 +339,9 @@ tuples, are all set as environment variables when = the bus daemon launches it." >>>> (define polkit-setuid-programs >>>> (match-lambda >>>> (($ polkit) >>>> - (list (file-append polkit "/lib/polkit-1/polkit-agent-helper-1") >>>> - (file-append polkit "/bin/pkexec"))))) >>>> + (map file-like->setuid-program >>>> + (list (file-append polkit "/lib/polkit-1/polkit-agent-helpe= r-1") >>>> + (file-append polkit "/bin/pkexec")))))) >>>>=20=20 >>>> (define polkit-service-type >>>> (service-type (name 'polkit) >>>> diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm >>>> index cd800fcc2b..64d0e85301 100644 >>>> --- a/gnu/services/desktop.scm >>>> +++ b/gnu/services/desktop.scm >>>> @@ -12,6 +12,7 @@ >>>> ;;; Copyright =C2=A9 2019 David Wilson >>>> ;;; Copyright =C2=A9 2020 Tobias Geerinckx-Rice >>>> ;;; Copyright =C2=A9 2020 Reza Alizadeh Majd >>>> +;;; Copyright =C2=A9 2021 Brice Waegeneire >>>> ;;; >>>> ;;; This file is part of GNU Guix. >>>> ;;; >>>> @@ -40,6 +41,7 @@ >>>> #:use-module ((gnu system file-systems) >>>> #:select (%elogind-file-systems file-system)) >>>> #:use-module (gnu system) >>>> + #:use-module (gnu system setuid) >>>> #:use-module (gnu system shadow) >>>> #:use-module (gnu system pam) >>>> #:use-module (gnu packages glib) >>>> @@ -1034,14 +1036,15 @@ rules." >>>>=20=20 >>>> (define (enlightenment-setuid-programs enlightenment-desktop-configur= ation) >>>> (match-record enlightenment-desktop-configuration >>>> - >>>> - (enlightenment) >>>> - (list (file-append enlightenment >>>> - "/lib/enlightenment/utils/enlightenment_sys") >>>> - (file-append enlightenment >>>> - "/lib/enlightenment/utils/enlightenment_system= ") >>>> - (file-append enlightenment >>>> - "/lib/enlightenment/utils/enlightenment_ckpass= wd")))) >>>> + >>>> + (enlightenment) >>>> + (map file-like->setuid-program >>>> + (list (file-append enlightenment >>>> + "/lib/enlightenment/utils/enlightenment_s= ys") >>>> + (file-append enlightenment >>>> + "/lib/enlightenment/utils/enlightenment_s= ystem") >>>> + (file-append enlightenment >>>> + "/lib/enlightenment/utils/enlightenment_c= kpasswd"))))) >>>>=20=20 >>>> (define enlightenment-desktop-service-type >>>> (service-type >>>> @@ -1204,8 +1207,11 @@ or setting its password with passwd."))) >>>> ;; Allow desktop users to also mount NTFS and NFS file syste= ms >>>> ;; without root. >>>> (simple-service 'mount-setuid-helpers setuid-program-service= -type >>>> - (list (file-append nfs-utils "/sbin/mount.nf= s") >>>> - (file-append ntfs-3g "/sbin/mount.ntfs= -3g"))) >>>> + (map (lambda (program) >>>> + (setuid-program >>>> + (program program))) >>>> + (list (file-append nfs-utils "/sbin/mou= nt.nfs") >>>> + (file-append ntfs-3g "/sbin/mount.ntfs= -3g")))) >>>>=20=20 >>>> ;; The global fontconfig cache directory can sometimes conta= in >>>> ;; stale entries, possibly referencing fonts that have been = GC'd, >>>> diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm >>>> index be85316180..ef551480aa 100644 >>>> --- a/gnu/services/docker.scm >>>> +++ b/gnu/services/docker.scm >>>> @@ -4,6 +4,7 @@ >>>> ;;; Copyright =C2=A9 2020, 2021 Maxim Cournoyer >>>> ;;; Copyright =C2=A9 2020 Efraim Flashner >>>> ;;; Copyright =C2=A9 2020 Jesse Dowell >>>> +;;; Copyright =C2=A9 2021 Brice Waegeneire >>>> ;;; >>>> ;;; This file is part of GNU Guix. >>>> ;;; >>>> @@ -26,6 +27,7 @@ >>>> #:use-module (gnu services base) >>>> #:use-module (gnu services dbus) >>>> #:use-module (gnu services shepherd) >>>> + #:use-module (gnu system setuid) >>>> #:use-module (gnu system shadow) >>>> #:use-module (gnu packages docker) >>>> #:use-module (gnu packages linux) ;singularity >>>> @@ -195,9 +197,10 @@ bundles in Docker containers.") >>>> "-helper")= )) >>>> '("action" "mount" "start"))))) >>>>=20=20 >>>> - (list (file-append helpers "/singularity-action-helper") >>>> - (file-append helpers "/singularity-mount-helper") >>>> - (file-append helpers "/singularity-start-helper"))) >>>> + (map file-like->setuid-program >>>> + (list (file-append helpers "/singularity-action-helper") >>>> + (file-append helpers "/singularity-mount-helper") >>>> + (file-append helpers "/singularity-start-helper")))) >>>>=20=20 >>>> (define singularity-service-type >>>> (service-type (name 'singularity) >>>> diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm >>>> index 8ffea3b9dd..d95f8beb7a 100644 >>>> --- a/gnu/services/xorg.scm >>>> +++ b/gnu/services/xorg.scm >>>> @@ -8,6 +8,7 @@ >>>> ;;; Copyright =C2=A9 2020 shtwzrd >>>> ;;; Copyright =C2=A9 2020 Jakub K=C4=85dzio=C5=82ka >>>> ;;; Copyright =C2=A9 2020 Alex Griffin >>>> +;;; Copyright =C2=A9 2021 Brice Waegeneire >>>> ;;; >>>> ;;; This file is part of GNU Guix. >>>> ;;; >>>> @@ -29,6 +30,7 @@ >>>> #:use-module (gnu services) >>>> #:use-module (gnu services shepherd) >>>> #:use-module (gnu system pam) >>>> + #:use-module (gnu system setuid) >>>> #:use-module (gnu system keyboard) >>>> #:use-module (gnu services base) >>>> #:use-module (gnu services dbus) >>>> @@ -681,7 +683,7 @@ reboot_cmd " shepherd "/sbin/reboot\n" >>>> #:allow-empty-passwords? empty?))))) >>>>=20=20 >>>> (define screen-locker-setuid-programs >>>> - (compose list screen-locker-program)) >>>> + (compose list file-like->setuid-program screen-locker-program)) >>>>=20=20 >>>> (define screen-locker-service-type >>>> (service-type (name 'screen-locker) >>>> diff --git a/gnu/system.scm b/gnu/system.scm >>>> index 385c36a484..681dd33630 100644 >>>> --- a/gnu/system.scm >>>> +++ b/gnu/system.scm >>>> @@ -1105,22 +1105,23 @@ use 'plain-file' instead~%") >>>> (define %setuid-programs >>>> ;; Default set of setuid-root programs. >>>> (let ((shadow (@ (gnu packages admin) shadow))) >>>> - (list (file-append shadow "/bin/passwd") >>>> - (file-append shadow "/bin/sg") >>>> - (file-append shadow "/bin/su") >>>> - (file-append shadow "/bin/newgrp") >>>> - (file-append shadow "/bin/newuidmap") >>>> - (file-append shadow "/bin/newgidmap") >>>> - (file-append inetutils "/bin/ping") >>>> - (file-append inetutils "/bin/ping6") >>>> - (file-append sudo "/bin/sudo") >>>> - (file-append sudo "/bin/sudoedit") >>>> - (file-append fuse "/bin/fusermount") >>>> + (map file-like->setuid-program >>>> + (list (file-append shadow "/bin/passwd") >>>> + (file-append shadow "/bin/sg") >>>> + (file-append shadow "/bin/su") >>>> + (file-append shadow "/bin/newgrp") >>>> + (file-append shadow "/bin/newuidmap") >>>> + (file-append shadow "/bin/newgidmap") >>>> + (file-append inetutils "/bin/ping") >>>> + (file-append inetutils "/bin/ping6") >>>> + (file-append sudo "/bin/sudo") >>>> + (file-append sudo "/bin/sudoedit") >>>> + (file-append fuse "/bin/fusermount") >>>>=20=20 >>>> - ;; To allow mounts with the "user" option, "mount" and "umo= unt" must >>>> - ;; be setuid-root. >>>> - (file-append util-linux "/bin/mount") >>>> - (file-append util-linux "/bin/umount")))) >>>> + ;; To allow mounts with the "user" option, "mount" and= "umount" must >>>> + ;; be setuid-root. >>>> + (file-append util-linux "/bin/mount") >>>> + (file-append util-linux "/bin/umount"))))) >>>>=20=20 >>>> (define %sudoers-specification >>>> ;; Default /etc/sudoers contents: 'root' and all members of the 'wh= eel'