From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id aKaVFQvp5WDtAgAAgWs5BA (envelope-from ) for ; Wed, 07 Jul 2021 19:48:59 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id ACZkEQvp5WAXTwAAB5/wlQ (envelope-from ) for ; Wed, 07 Jul 2021 17:48:59 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 223B01A1A3 for ; Wed, 7 Jul 2021 19:48:58 +0200 (CEST) Received: from localhost ([::1]:40402 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1m1BfN-0008Og-4E for larch@yhetil.org; Wed, 07 Jul 2021 13:48:57 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50548) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m1BYg-0006NB-OZ for guix-patches@gnu.org; Wed, 07 Jul 2021 13:42:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:41831) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1m1BYg-0008Vt-Fn for guix-patches@gnu.org; Wed, 07 Jul 2021 13:42:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1m1BYg-0005Xk-Ez for guix-patches@gnu.org; Wed, 07 Jul 2021 13:42:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#44700] [PATCH v3 2/2] services: Migrate to . Resent-From: Chris Lemmer-Webber Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 07 Jul 2021 17:42:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 44700 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: Brice Waegeneire Cc: 44700@debbugs.gnu.org Received: via spool by 44700-submit@debbugs.gnu.org id=B44700.162567967421250 (code B ref 44700); Wed, 07 Jul 2021 17:42:02 +0000 Received: (at 44700) by debbugs.gnu.org; 7 Jul 2021 17:41:14 +0000 Received: from localhost ([127.0.0.1]:53377 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1m1BXm-0005WW-5w for submit@debbugs.gnu.org; Wed, 07 Jul 2021 13:41:14 -0400 Received: from dustycloud.org ([50.116.34.160]:59616) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1m1BXi-0005Vx-5b for 44700@debbugs.gnu.org; Wed, 07 Jul 2021 13:41:05 -0400 Received: from twig (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id A3D1026641; Wed, 7 Jul 2021 13:41:00 -0400 (EDT) References: <87v95oeq58.fsf@dustycloud.org> <20210706200320.27113-3-brice@waegenei.re> User-agent: mu4e 1.4.15; emacs 27.2 From: Chris Lemmer-Webber In-reply-to: <20210706200320.27113-3-brice@waegenei.re> Date: Wed, 07 Jul 2021 13:41:00 -0400 Message-ID: <87sg0qc98z.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1625680138; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=woYfewmqppn5qdabaRWs8n1e+sI6ey4KpSO8cALVKB8=; b=DTBZ52gSuuETTkpz2KebeJwA4wRWVv4zJH9JCgA6XkXJ2W1J4NR0bIc6IACMd1s9nZFKEd KFZAQlf3DFhbcIYLEPchraos0s8u/4LJz92jOKvirq2X3+MCAd8wVJCnbrNWcXVfDZ4m8d rXWg1pwWjlVdc1lFAsahn//t3JwqaMyzyIEcFKbtSDU/vjtU4XVBSFEMy7JC2VsN0WMRib pCyCGFTDobDmSUhVT99EeFZsim96Jmw6dyhPphdZee1pxn3f0ae2H3U+WPFWnC53cdQkxk +pzgSSye9cOxbWDj+bPEOnZj1GFsR9c2QeNYLt6qxV/81Me5e9w4+TBHCix0Bg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1625680138; a=rsa-sha256; cv=none; b=YpQ9tEW/mw+o5R5WiV44F6odhNqDo2i/K8Rfe3OWHj+8qKHxCFUmuEg1qIRih0DRLDlz2u GMtONG487NyVtBiUvzWVVJzRbMQzPumMXM8qF9UW3pRJFFX+yhVY4YqqpMuWvtWoeAcFRx 2I7ke2kmskbiHuv/cVQ1C/LV9cAFvXgIcYZqypLZsntgAwS+SRHsOE/fMJ7QpsfB70RUp0 HMlGeqSNuBbLIMMV1q6gmPsEtMqNTBaqDBeIakQWnOMkVULm1vu1Jb80zS8ACfUhyAHQtF AVyEsaHHo+C6U95+rvG/zoc2BvORlOiqyaPrZS0CUEJ5clUruSI5PzdG4iM2SQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -2.41 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 223B01A1A3 X-Spam-Score: -2.41 X-Migadu-Scanner: scn0.migadu.com X-TUID: Z2RFyAUKgKRR Looks good to me. I'd say push it... let's not let this bitrot again! Brice Waegeneire writes: > * gnu/services/dbus.scm (dbus-setuid-programs, polkit-setuid-programs): > Return setuid-programs. > * gnu/services/desktop.scm (enlightenment-setuid-programs): Return > setuid-programs. > (%desktop-services)[mount-setuid-helpers]: Use setuid-programs. > * gnu/services/docker.scm (singularity-setuid-programs): Return > setuid-programs. > * gnu/services/xorg.scm(screen-locker-setuid-programs): Return > setuid-programs. > * gnu/system.scm (%setuid-programs): Return setuid-programs. > * doc/guix.texi (Setuid Programs, operating-system Reference): Replace > 'list of G-expressions' with 'list of '. > --- > doc/guix.texi | 19 +++++++++++-------- > gnu/services/dbus.scm | 13 +++++++++---- > gnu/services/desktop.scm | 26 ++++++++++++++++---------- > gnu/services/docker.scm | 9 ++++++--- > gnu/services/xorg.scm | 4 +++- > gnu/system.scm | 31 ++++++++++++++++--------------- > 6 files changed, 61 insertions(+), 41 deletions(-) > > diff --git a/doc/guix.texi b/doc/guix.texi > index f7a72b9885..7919332521 100644 > --- a/doc/guix.texi > +++ b/doc/guix.texi > @@ -13860,8 +13860,8 @@ Linux @dfn{pluggable authentication module} (PAM)= services. > @c FIXME: Add xref to PAM services section. >=20=20 > @item @code{setuid-programs} (default: @code{%setuid-programs}) > -List of string-valued G-expressions denoting setuid programs. > -@xref{Setuid Programs}. > +List of @code{}. @xref{Setuid Programs}, for more > +information. >=20=20 > @item @code{sudoers-file} (default: @code{%sudoers-specification}) > @cindex sudoers file > @@ -32421,13 +32421,15 @@ the store, we let the system administrator @emp= h{declare} which programs > should be setuid root. >=20=20 > The @code{setuid-programs} field of an @code{operating-system} > -declaration contains a list of G-expressions denoting the names of > -programs to be setuid-root (@pxref{Using the Configuration System}). > -For instance, the @command{passwd} program, which is part of the Shadow > -package, can be designated by this G-expression (@pxref{G-Expressions}): > +declaration contains a list of @code{} denoting the > +names of programs to have a setuid or setgid bit set (@pxref{Using the > +Configuration System}). For instance, the @command{passwd} program, > +which is part of the Shadow package, with a setuid root can be > +designated like this: >=20=20 > @example > -#~(string-append #$shadow "/bin/passwd") > +(setuid-program > + (program (file-append #$shadow "/bin/passwd"))) > @end example >=20=20 > @deftp {Data Type} setuid-program > @@ -32458,7 +32460,8 @@ A default set of setuid programs is defined by the > @code{%setuid-programs} variable of the @code{(gnu system)} module. >=20=20 > @defvr {Scheme Variable} %setuid-programs > -A list of G-expressions denoting common programs that are setuid-root. > +A list of @code{} denoting common programs that are > +setuid-root. >=20=20 > The list includes commands such as @command{passwd}, @command{ping}, > @command{su}, and @command{sudo}. > diff --git a/gnu/services/dbus.scm b/gnu/services/dbus.scm > index af1a1e4c3a..e7b3dac166 100644 > --- a/gnu/services/dbus.scm > +++ b/gnu/services/dbus.scm > @@ -2,6 +2,7 @@ > ;;; Copyright =C2=A9 2013, 2014, 2015, 2016, 2017, 2019, 2020 Ludovic Co= urt=C3=A8s > ;;; Copyright =C2=A9 2015 Sou Bunnbu > ;;; Copyright =C2=A9 2021 Maxime Devos > +;;; Copyright =C2=A9 2021 Brice Waegeneire > ;;; > ;;; This file is part of GNU Guix. > ;;; > @@ -21,6 +22,7 @@ > (define-module (gnu services dbus) > #:use-module (gnu services) > #:use-module (gnu services shepherd) > + #:use-module (gnu system setuid) > #:use-module (gnu system shadow) > #:use-module (gnu system pam) > #:use-module ((gnu packages glib) #:select (dbus)) > @@ -156,10 +158,12 @@ includes the @code{etc/dbus-1/system.d} directories= of each package listed in > (shell (file-append shadow "/sbin/nologin"))))) >=20=20 > (define dbus-setuid-programs > - ;; Return the file name of the setuid program that we need. > + ;; Return a list of for the program that we need. > (match-lambda > (($ dbus services) > - (list (file-append dbus "/libexec/dbus-daemon-launch-helper"))))) > + (list (setuid-program > + (program (file-append > + dbus "/libexec/dbus-daemon-launch-helper"))))))) >=20=20 > (define (dbus-activation config) > "Return an activation gexp for D-Bus using @var{config}." > @@ -335,8 +339,9 @@ tuples, are all set as environment variables when the= bus daemon launches it." > (define polkit-setuid-programs > (match-lambda > (($ polkit) > - (list (file-append polkit "/lib/polkit-1/polkit-agent-helper-1") > - (file-append polkit "/bin/pkexec"))))) > + (map file-like->setuid-program > + (list (file-append polkit "/lib/polkit-1/polkit-agent-helper-1= ") > + (file-append polkit "/bin/pkexec")))))) >=20=20 > (define polkit-service-type > (service-type (name 'polkit) > diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm > index cd800fcc2b..64d0e85301 100644 > --- a/gnu/services/desktop.scm > +++ b/gnu/services/desktop.scm > @@ -12,6 +12,7 @@ > ;;; Copyright =C2=A9 2019 David Wilson > ;;; Copyright =C2=A9 2020 Tobias Geerinckx-Rice > ;;; Copyright =C2=A9 2020 Reza Alizadeh Majd > +;;; Copyright =C2=A9 2021 Brice Waegeneire > ;;; > ;;; This file is part of GNU Guix. > ;;; > @@ -40,6 +41,7 @@ > #:use-module ((gnu system file-systems) > #:select (%elogind-file-systems file-system)) > #:use-module (gnu system) > + #:use-module (gnu system setuid) > #:use-module (gnu system shadow) > #:use-module (gnu system pam) > #:use-module (gnu packages glib) > @@ -1034,14 +1036,15 @@ rules." >=20=20 > (define (enlightenment-setuid-programs enlightenment-desktop-configurati= on) > (match-record enlightenment-desktop-configuration > - > - (enlightenment) > - (list (file-append enlightenment > - "/lib/enlightenment/utils/enlightenment_sys") > - (file-append enlightenment > - "/lib/enlightenment/utils/enlightenment_system") > - (file-append enlightenment > - "/lib/enlightenment/utils/enlightenment_ckpasswd"= )))) > + > + (enlightenment) > + (map file-like->setuid-program > + (list (file-append enlightenment > + "/lib/enlightenment/utils/enlightenment_sys") > + (file-append enlightenment > + "/lib/enlightenment/utils/enlightenment_syst= em") > + (file-append enlightenment > + "/lib/enlightenment/utils/enlightenment_ckpa= sswd"))))) >=20=20 > (define enlightenment-desktop-service-type > (service-type > @@ -1204,8 +1207,11 @@ or setting its password with passwd."))) > ;; Allow desktop users to also mount NTFS and NFS file systems > ;; without root. > (simple-service 'mount-setuid-helpers setuid-program-service-ty= pe > - (list (file-append nfs-utils "/sbin/mount.nfs") > - (file-append ntfs-3g "/sbin/mount.ntfs-3g= "))) > + (map (lambda (program) > + (setuid-program > + (program program))) > + (list (file-append nfs-utils "/sbin/mount.= nfs") > + (file-append ntfs-3g "/sbin/mount.ntfs-3g= ")))) >=20=20 > ;; The global fontconfig cache directory can sometimes contain > ;; stale entries, possibly referencing fonts that have been GC'= d, > diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm > index be85316180..ef551480aa 100644 > --- a/gnu/services/docker.scm > +++ b/gnu/services/docker.scm > @@ -4,6 +4,7 @@ > ;;; Copyright =C2=A9 2020, 2021 Maxim Cournoyer > ;;; Copyright =C2=A9 2020 Efraim Flashner > ;;; Copyright =C2=A9 2020 Jesse Dowell > +;;; Copyright =C2=A9 2021 Brice Waegeneire > ;;; > ;;; This file is part of GNU Guix. > ;;; > @@ -26,6 +27,7 @@ > #:use-module (gnu services base) > #:use-module (gnu services dbus) > #:use-module (gnu services shepherd) > + #:use-module (gnu system setuid) > #:use-module (gnu system shadow) > #:use-module (gnu packages docker) > #:use-module (gnu packages linux) ;singularity > @@ -195,9 +197,10 @@ bundles in Docker containers.") > "-helper"))) > '("action" "mount" "start"))))) >=20=20 > - (list (file-append helpers "/singularity-action-helper") > - (file-append helpers "/singularity-mount-helper") > - (file-append helpers "/singularity-start-helper"))) > + (map file-like->setuid-program > + (list (file-append helpers "/singularity-action-helper") > + (file-append helpers "/singularity-mount-helper") > + (file-append helpers "/singularity-start-helper")))) >=20=20 > (define singularity-service-type > (service-type (name 'singularity) > diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm > index 8ffea3b9dd..d95f8beb7a 100644 > --- a/gnu/services/xorg.scm > +++ b/gnu/services/xorg.scm > @@ -8,6 +8,7 @@ > ;;; Copyright =C2=A9 2020 shtwzrd > ;;; Copyright =C2=A9 2020 Jakub K=C4=85dzio=C5=82ka > ;;; Copyright =C2=A9 2020 Alex Griffin > +;;; Copyright =C2=A9 2021 Brice Waegeneire > ;;; > ;;; This file is part of GNU Guix. > ;;; > @@ -29,6 +30,7 @@ > #:use-module (gnu services) > #:use-module (gnu services shepherd) > #:use-module (gnu system pam) > + #:use-module (gnu system setuid) > #:use-module (gnu system keyboard) > #:use-module (gnu services base) > #:use-module (gnu services dbus) > @@ -681,7 +683,7 @@ reboot_cmd " shepherd "/sbin/reboot\n" > #:allow-empty-passwords? empty?))))) >=20=20 > (define screen-locker-setuid-programs > - (compose list screen-locker-program)) > + (compose list file-like->setuid-program screen-locker-program)) >=20=20 > (define screen-locker-service-type > (service-type (name 'screen-locker) > diff --git a/gnu/system.scm b/gnu/system.scm > index 385c36a484..681dd33630 100644 > --- a/gnu/system.scm > +++ b/gnu/system.scm > @@ -1105,22 +1105,23 @@ use 'plain-file' instead~%") > (define %setuid-programs > ;; Default set of setuid-root programs. > (let ((shadow (@ (gnu packages admin) shadow))) > - (list (file-append shadow "/bin/passwd") > - (file-append shadow "/bin/sg") > - (file-append shadow "/bin/su") > - (file-append shadow "/bin/newgrp") > - (file-append shadow "/bin/newuidmap") > - (file-append shadow "/bin/newgidmap") > - (file-append inetutils "/bin/ping") > - (file-append inetutils "/bin/ping6") > - (file-append sudo "/bin/sudo") > - (file-append sudo "/bin/sudoedit") > - (file-append fuse "/bin/fusermount") > + (map file-like->setuid-program > + (list (file-append shadow "/bin/passwd") > + (file-append shadow "/bin/sg") > + (file-append shadow "/bin/su") > + (file-append shadow "/bin/newgrp") > + (file-append shadow "/bin/newuidmap") > + (file-append shadow "/bin/newgidmap") > + (file-append inetutils "/bin/ping") > + (file-append inetutils "/bin/ping6") > + (file-append sudo "/bin/sudo") > + (file-append sudo "/bin/sudoedit") > + (file-append fuse "/bin/fusermount") >=20=20 > - ;; To allow mounts with the "user" option, "mount" and "umount= " must > - ;; be setuid-root. > - (file-append util-linux "/bin/mount") > - (file-append util-linux "/bin/umount")))) > + ;; To allow mounts with the "user" option, "mount" and "u= mount" must > + ;; be setuid-root. > + (file-append util-linux "/bin/mount") > + (file-append util-linux "/bin/umount"))))) >=20=20 > (define %sudoers-specification > ;; Default /etc/sudoers contents: 'root' and all members of the 'wheel'