From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id WPTwDZGcuWSDUAAASxT56A (envelope-from ) for ; Thu, 20 Jul 2023 22:44:01 +0200 Received: from aspmx1.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id iDn/DJGcuWRq6gAAG6o9tA (envelope-from ) for ; Thu, 20 Jul 2023 22:44:01 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E2AA7317FD for ; Thu, 20 Jul 2023 22:44:00 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=tobias.gr header.s=2018 header.b=ZDnqFDVq; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1689885841; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=vnOwixCqc40CjEZZSwQq+Us9UMR4v2cKqqgUa9N7wfk=; b=iGxJn6L1n8Uu0bo+xOAmYJ0z8nOa8wqYKRH8oEkizXtOa9NFwpfVSEqLLJahJw3D77kXik 9Y0sa7qNW+YSp5NyNkqp8bUrKgMdodfMD/xqQye7xeI2zDyy1mU7NAyYe9e7w3899YcSk5 kwueGl/hg8LjyMiUkzCFp/9Zkqp0Fx1Ukn5i7fQY4c0NR38uhLPEV+OxGA+XL9/PkXMFRb EW7igJZSF4PUT0S9W3elClGP0P9bviDwuVXVZunkW0M8GDeY3i3ghKKnLxpQCARF7YPIOt C2P+B601fo52OzoJ//BulDI7aJpcLAwDkeG0Xe+vU9TKN9VxNjHG8tV15liEUw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1689885841; a=rsa-sha256; cv=none; b=YXJ7MRzidhrfJ3w42zfAymdr7fZGHBw1eucn6n+FrQRgdV+dCRBPjJtB0pPNKSmSw5IEMe 38ahQMYeE1ayL3T4s8L5hkh1Hr9SFPEuC7TLs9uVRUMJ1gigDVqxLpzR7LzGUUdaMF8QUg DurgOdcruyNrHaiwtF3NQ0nhOjXJHShqxXFmxu9+DiaWPtJorI5nzt0nOh46sxAp0CjDj/ kIxGnVakbl7bNc9h1tE5OctY+hbqZmLT50OSjEsy+EbCsje5wFGO7bMO+XZI1hBN7xBEhw VesSBOJIt090hy/PiTxK9YoARZ5usn5aEX1dt835MFNJ0gDSR+gXABiJlKtY3w== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=tobias.gr header.s=2018 header.b=ZDnqFDVq; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qMaUK-0007PQ-U9; Thu, 20 Jul 2023 16:43:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qMaUI-0007O0-Qd for guix-patches@gnu.org; Thu, 20 Jul 2023 16:43:02 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qMaUI-0007Cp-IS for guix-patches@gnu.org; Thu, 20 Jul 2023 16:43:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qMaUH-0000YS-Vs for guix-patches@gnu.org; Thu, 20 Jul 2023 16:43:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#61462] [PATCH v2 01/10] system: Disallow file-like setuid-programs. References: <87r0uuehlr.fsf@nckx> In-Reply-To: <87r0uuehlr.fsf@nckx> Resent-From: Tobias Geerinckx-Rice Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 20 Jul 2023 20:43:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 61462 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 61462@debbugs.gnu.org Received: via spool by 61462-submit@debbugs.gnu.org id=B61462.16898857271953 (code B ref 61462); Thu, 20 Jul 2023 20:43:01 +0000 Received: (at 61462) by debbugs.gnu.org; 20 Jul 2023 20:42:07 +0000 Received: from localhost ([127.0.0.1]:60032 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qMaTO-0000VK-VM for submit@debbugs.gnu.org; Thu, 20 Jul 2023 16:42:07 -0400 Received: from tobias.gr ([80.241.217.52]:36824) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qMaTN-0000V4-3T for 61462@debbugs.gnu.org; Thu, 20 Jul 2023 16:42:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=2018; bh=vnOwixCqc40Cj EZZSwQq+Us9UMR4v2cKqqgUa9N7wfk=; h=date:subject:to:from; d=tobias.gr; b=ZDnqFDVqfoBrsefygn1ilv5s+tfYwmeddiUc2W/qtD+LZFZOEtzice734MDUExbfZmgT u0nDoWdM53bkK2wDgSjjl0iuSoG+et3Fm1GMw8xOZ3lIOUclgcMm6lAsvZCn20mI3wl1cP i7WsRDTjkyN1dqqlTF08QFQZK5niZvvOrL3g7IfJR44v6uMLXP3lU+ZsH4VP7lCS8wY4kG mAAihMsLmBTXDjwzeI6q+0PZiaHzdrVCAHRItd+BjQgt1JUhFl5rknTIHxGUTCxzZeJgj2 k1XaO9yiql2eJnIfW1ynS7+0FJuxKrPU82uTMKkTsRJ92amKjHC2PeMJBguna1vQ== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 514093f5 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for <61462@debbugs.gnu.org>; Thu, 20 Jul 2023 20:41:47 +0000 (UTC) Date: Sun, 16 Jul 2023 01:59:51 +0200 Message-ID: <129e8d298556f6a159fcb704ed3df4bf0709ddd3.1689465600.git.me@tobias.gr> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Tobias Geerinckx-Rice X-ACL-Warn: , Tobias Geerinckx-Rice via Guix-patches From: Tobias Geerinckx-Rice via Guix-patches via Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Scanner: mx2.migadu.com X-Migadu-Spam-Score: -5.64 X-Spam-Score: -5.64 X-Migadu-Queue-Id: E2AA7317FD X-TUID: UAv1l5ru/Gcg It has been a warning for well over a year now. Now, with privileged-programs coming, don't let's support nested deprecation hacks. * gnu/system.scm (): Don't ‘sanitize’ the setuid-programs field. (ensure-setuid-program-list): Delete syntax. (%ensure-setuid-program-list): Delete variable. --- This is a quick snapshot of my rebased tree at the request of vagrantc. There shouldn't be any functional changes. If there are, that's cool too. gnu/system.scm | 28 +--------------------------- 1 file changed, 1 insertion(+), 27 deletions(-) diff --git a/gnu/system.scm b/gnu/system.scm index 23addf41e9..e32879b240 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -296,8 +296,7 @@ (define-record-type* operating-system (pam-services operating-system-pam-services ; list of PAM services (default (base-pam-services))) (setuid-programs operating-system-setuid-programs - (default %setuid-programs) ; list of - (sanitize ensure-setuid-program-list)) + (default %setuid-programs)) ; list of (sudoers-file operating-system-sudoers-file ; file-like (default %sudoers-specification)) @@ -1203,31 +1202,6 @@ (define (operating-system-environment-variables os) ;; when /etc/machine-id is missing. Make sure these warnings are non-fatal. ("DBUS_FATAL_WARNINGS" . "0"))) -;; Ensure LST is a list of records and warn otherwise. -(define-with-syntax-properties (ensure-setuid-program-list (lst properties)) - (%ensure-setuid-program-list lst properties)) - -;; We want to be able to use defines, so define a procedure. -(define (%ensure-setuid-program-list lst properties) - (define warned? #f) - - (define (warn-once) - (unless warned? - (warning (source-properties->location properties) - (G_ "representing setuid programs with file-like objects is \ -deprecated; use 'setuid-program' instead~%")) - (set! warned? #t))) - - (map (match-lambda - ((? setuid-program? program) - program) - (program - ;; PROGRAM is a file-like or a gexp like #~(string-append #$foo - ;; "/bin/bar"). - (warn-once) - (setuid-program (program program)))) - lst)) - (define %setuid-programs ;; Default set of setuid-root programs. (let ((shadow (@ (gnu packages admin) shadow))) base-commit: 21b718f4d6c3ded8ef50d12f6e9ae6474f74620f prerequisite-patch-id: efc79914a4e3e994a8786e02774237de36f6b105 prerequisite-patch-id: 1986dc849c15ae6c1502df25f9c17b53a02df83d prerequisite-patch-id: bb189cbd1346b0d00e9b79189155c9916731788b prerequisite-patch-id: 062a02ed88acf0f11c5895b67065faa55d71fae8 prerequisite-patch-id: 2eea585e7940a16c24baeed3b65a123b1b10fd6b prerequisite-patch-id: 31a3407b0c583d01cc2664168ec6cf499f10cb53 prerequisite-patch-id: a0566799f4aef296a3efcd228c3a223202662f86 prerequisite-patch-id: cd50cb9494a47433c7fd167729e239178c78d7f1 prerequisite-patch-id: e86e94b9a40613e3ce534ce778d027210b93b05a prerequisite-patch-id: c7068d2079b3d2f0f172cc4cf9e0791ff5e84da3 prerequisite-patch-id: b52b35693094914ea1962ac2f186a52617d38c8a prerequisite-patch-id: b2bdf5541825c9cd57d2fe3e3e9a90e5fc8ffbe6 prerequisite-patch-id: f085c8ee7c7f1d0250b0ed8a548a72d397d96056 prerequisite-patch-id: 49c8f3f912d24147362a3a874c2b2c0b4b182d5d prerequisite-patch-id: 1f0fc1ca1a40444f4831beaf3183d7d4f866fd6d prerequisite-patch-id: 8c69acfe3cb01ff3c0a46a2efe04b53ad063002d prerequisite-patch-id: 10f972ac75020ce096d83b53a68a3b2f1eba1c8c prerequisite-patch-id: 74586b82a25b775527adc7e8cf09b15bdb4850f7 prerequisite-patch-id: 7388ac8d395ef16830105026230e47d903026335 prerequisite-patch-id: 2c7df330bf50663218016e01b9c0922a6b3a001f prerequisite-patch-id: f45ec5e6d6023fc5538e1578bbb4e270d7b23baf prerequisite-patch-id: 0083d0b8d60fd0e526449cd192f153d0bd1bde0b prerequisite-patch-id: 7e6e4ab87b52996e9bb6cd8595889f21ba87e9fe -- 2.41.0