Received: (at 62726) by debbugs.gnu.org; 7 Jun 2023 12:59:29 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Jun 07 08:59:29 2023
Received: from localhost ([127.0.0.1]:53767 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1q6sl6-0006di-W5
for submit <at> debbugs.gnu.org; Wed, 07 Jun 2023 08:59:29 -0400
Received: from coleridge.kublai.com ([166.84.7.167]:56822 helo=mail.spork.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <bjc@HIDDEN>) id 1q6sl4-0006da-Nu
for 62726 <at> debbugs.gnu.org; Wed, 07 Jun 2023 08:59:27 -0400
Received: from psyduck.jhoto.kublai.com (ool-18b8e9e7.dyn.optonline.net
[24.184.233.231])
by mail.spork.org (Postfix) with ESMTPSA id 83777DA87;
Wed, 7 Jun 2023 08:59:26 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=spork.org; s=dkim;
t=1686142766; bh=+9Ba3SEINZ6TY19V/+omwD+BFQKankAhEi7CXqDu1z8=;
h=From:To:Cc:Subject:Date;
b=ibW0XuklNoXa15IPlV0yW0w654bfC9P0Illu4Pk9BUyS8MN1+muJeyaS5giq3Qk1x
ZaKAUhtDbnB1DVWBRbe6Mq7STKZb/T2qOvQN8duQdDTU9RrvY+tsHo+x1Kvj0ZzrIx
G9ihnjBZKc/GlOULdpO/8SfqwDeEfSBTaLPyAw3g=
From: Brian Cully <bjc@HIDDEN>
To: 62726 <at> debbugs.gnu.org
Subject: [PATCH v2] services: Activate `setuid-program-service-type' in
shepherd.
Date: Wed, 7 Jun 2023 08:59:17 -0400
Message-Id: <be028df8c5863da26b4818fdc1e27511b8b33b89.1686142757.git.bjc@HIDDEN>
X-Mailer: git-send-email 2.40.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 62726
Cc: Brian Cully <bjc@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Activate using a one-shot Shepherd service on boot, rather than attaching to
ACTIVATION-SERVICE-TYPE to populate `/run/setuid-programs'.
In order to prevent a dependency cycle between (gnu services) and (gnu
services shepherd), introduce a new module (gnu services setuid) and deprecate
the import of `setuid-program-service-type' from (gnu services).
Add the new SETUID-PROGRAMS Shepherd service to the extant Shepherd services
which need it, as well as USER-PROCESSES as a catch for things started later.
* gnu/local.mk (GNU_SYSTEM_MODULES): add setuid.scm.
* gnu/services.scm (setuid-program-service-type): removed.
* gnu/services/setuid.scm: new module.
* gnu/services/dbus.scm (gnu): import (gnu services setuid).
(dbus-shepherd-service): require SETUID-PROGRAMS.
* gnu/services/desktop.scm (gnu): import (gnu services setuid).
* gnu/services/docker.scm (gnu): import (gnu services setuid).
* gnu/services/mail.scm (gnu): import (gnu services setuid).
(<opensmtpd-configuration>): require SETUID-PROGRAMS.
* gnu/services/xorg.scm (gnu): import (gnu services setuid).
* gnu/system.scm (gnu): import (gnu services setuid).
* gnu/system/pam.scm (gnu): import (gnu services setuid).
(pam-root-service): require SETUID-PROGRAMS by default.
---
gnu/local.mk | 1 +
gnu/services.scm | 38 ---------------------------
gnu/services/dbus.scm | 3 ++-
gnu/services/desktop.scm | 1 +
gnu/services/docker.scm | 1 +
gnu/services/mail.scm | 3 ++-
gnu/services/setuid.scm | 57 ++++++++++++++++++++++++++++++++++++++++
gnu/services/xorg.scm | 1 +
gnu/system.scm | 1 +
gnu/system/pam.scm | 5 +++-
10 files changed, 70 insertions(+), 41 deletions(-)
create mode 100644 gnu/services/setuid.scm
diff --git a/gnu/local.mk b/gnu/local.mk
index 9adf593318..6f9013056c 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -708,6 +708,7 @@ GNU_SYSTEM_MODULES = \
%D%/services/rsync.scm \
%D%/services/samba.scm \
%D%/services/sddm.scm \
+ %D%/services/setuid.scm \
%D%/services/spice.scm \
%D%/services/ssh.scm \
%D%/services/syncthing.scm \
diff --git a/gnu/services.scm b/gnu/services.scm
index a990d297c9..a17f7dcee1 100644
--- a/gnu/services.scm
+++ b/gnu/services.scm
@@ -44,7 +44,6 @@ (define-module (gnu services)
#:use-module (gnu packages base)
#:use-module (gnu packages bash)
#:use-module (gnu packages hurd)
- #:use-module (gnu system setuid)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-9)
#:use-module (srfi srfi-9 gnu)
@@ -111,7 +110,6 @@ (define-module (gnu services)
extra-special-file
etc-service-type
etc-directory
- setuid-program-service-type
profile-service-type
firmware-service-type
gc-root-service-type
@@ -828,42 +826,6 @@ (define-deprecated (etc-service files)
FILES must be a list of name/file-like object pairs."
(service etc-service-type files))
-(define (setuid-program->activation-gexp programs)
- "Return an activation gexp for setuid-program from PROGRAMS."
- (let ((programs (map (lambda (program)
- ;; FIXME This is really ugly, I didn't managed to use
- ;; "inherit"
- (let ((program-name (setuid-program-program program))
- (setuid? (setuid-program-setuid? program))
- (setgid? (setuid-program-setgid? program))
- (user (setuid-program-user program))
- (group (setuid-program-group program)) )
- #~(setuid-program
- (setuid? #$setuid?)
- (setgid? #$setgid?)
- (user #$user)
- (group #$group)
- (program #$program-name))))
- programs)))
- (with-imported-modules (source-module-closure
- '((gnu system setuid)))
- #~(begin
- (use-modules (gnu system setuid))
-
- (activate-setuid-programs (list #$@programs))))))
-
-(define setuid-program-service-type
- (service-type (name 'setuid-program)
- (extensions
- (list (service-extension activation-service-type
- setuid-program->activation-gexp)))
- (compose concatenate)
- (extend (lambda (config extensions)
- (append config extensions)))
- (description
- "Populate @file{/run/setuid-programs} with the specified
-executables, making them setuid and/or setgid.")))
-
(define (packages->profile-entry packages)
"Return a system entry for the profile containing PACKAGES."
;; XXX: 'mlet' is needed here for one reason: to get the proper
diff --git a/gnu/services/dbus.scm b/gnu/services/dbus.scm
index 5a0c634393..7f0deaa037 100644
--- a/gnu/services/dbus.scm
+++ b/gnu/services/dbus.scm
@@ -21,6 +21,7 @@
(define-module (gnu services dbus)
#:use-module (gnu services)
+ #:use-module (gnu services setuid)
#:use-module (gnu services shepherd)
#:use-module (gnu system setuid)
#:use-module (gnu system shadow)
@@ -200,7 +201,7 @@ (define dbus-shepherd-service
(list (shepherd-service
(documentation "Run the D-Bus system daemon.")
(provision '(dbus-system))
- (requirement '(user-processes syslogd))
+ (requirement '(user-processes syslogd setuid-programs))
(start #~(make-forkexec-constructor
(list (string-append #$dbus "/bin/dbus-daemon")
"--nofork" "--system" "--syslog-only")
diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
index a63748b652..f7a601ed47 100644
--- a/gnu/services/desktop.scm
+++ b/gnu/services/desktop.scm
@@ -33,6 +33,7 @@
(define-module (gnu services desktop)
#:use-module (gnu services)
+ #:use-module (gnu services setuid)
#:use-module (gnu services shepherd)
#:use-module (gnu services base)
#:use-module (gnu services dbus)
diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm
index 741bab5a8c..32ed9739bf 100644
--- a/gnu/services/docker.scm
+++ b/gnu/services/docker.scm
@@ -26,6 +26,7 @@ (define-module (gnu services docker)
#:use-module (gnu services configuration)
#:use-module (gnu services base)
#:use-module (gnu services dbus)
+ #:use-module (gnu services setuid)
#:use-module (gnu services shepherd)
#:use-module (gnu system setuid)
#:use-module (gnu system shadow)
diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm
index 12dcc8e71d..3b001e091a 100644
--- a/gnu/services/mail.scm
+++ b/gnu/services/mail.scm
@@ -27,6 +27,7 @@ (define-module (gnu services mail)
#:use-module (gnu services)
#:use-module (gnu services base)
#:use-module (gnu services configuration)
+ #:use-module (gnu services setuid)
#:use-module (gnu services shepherd)
#:use-module (gnu system pam)
#:use-module (gnu system shadow)
@@ -1655,7 +1656,7 @@ (define-record-type* <opensmtpd-configuration>
(package opensmtpd-configuration-package
(default opensmtpd))
(shepherd-requirement opensmtpd-configuration-shepherd-requirement
- (default '())) ; list of symbols
+ (default '(setuid-programs))) ; list of symbols
(config-file opensmtpd-configuration-config-file
(default %default-opensmtpd-config-file))
(setgid-commands? opensmtpd-setgid-commands? (default #t)))
diff --git a/gnu/services/setuid.scm b/gnu/services/setuid.scm
new file mode 100644
index 0000000000..00319aabdc
--- /dev/null
+++ b/gnu/services/setuid.scm
@@ -0,0 +1,57 @@
+(define-module (gnu services setuid)
+ #:use-module (gnu services)
+ #:use-module (gnu services shepherd)
+ #:use-module (gnu system setuid)
+ #:use-module (guix gexp)
+ #:use-module (guix modules)
+ #:use-module (srfi srfi-1)
+ #:export (setuid-program-service-type))
+
+(define (setuid-programs->shepherd-service programs)
+ (let ((programs (map (lambda (program)
+ ;; FIXME This is really ugly, I didn't managed to use
+ ;; "inherit"
+ (let ((program-name (setuid-program-program program))
+ (setuid? (setuid-program-setuid? program))
+ (setgid? (setuid-program-setgid? program))
+ (user (setuid-program-user program))
+ (group (setuid-program-group program)) )
+ #~(setuid-program
+ (setuid? #$setuid?)
+ (setgid? #$setgid?)
+ (user #$user)
+ (group #$group)
+ (program #$program-name))))
+ programs)))
+ (with-imported-modules (source-module-closure
+ '((gnu system setuid)
+ (gnu build activation)))
+ (list (shepherd-service
+ (documentation "Populate @file{/run/setuid-programs}.")
+ (provision '(setuid-programs))
+ ;; TODO: actually need to require account service. maybe user-homes
+ ;; as a proxy?
+ (requirement '(file-systems))
+ (one-shot? #t)
+ (modules '((gnu system setuid)
+ (gnu build activation)))
+ (start #~(lambda ()
+ (activate-setuid-programs (list #$@programs))
+ #t)))))))
+
+(define setuid-program-service-type
+ (service-type (name 'setuid-program)
+ (extensions
+ (list
+ (service-extension shepherd-root-service-type
+ setuid-programs->shepherd-service)
+ ;; Ensure that setuid programs are set up by the time they
+ ;; might be needed by user-configured processes and daemons.
+ (service-extension user-processes-service-type
+ (const '(setuid-programs)))))
+ (compose concatenate)
+ (extend append)
+ (default-value '())
+ (description
+ "Populate @file{/run/setuid-programs} with the specified
+executables, making them setuid and/or setgid.")))
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index f8cf9f25b6..efcaa52754 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -35,6 +35,7 @@ (define-module (gnu services xorg)
#:use-module (gnu artwork)
#:use-module (gnu services)
#:use-module (gnu services configuration)
+ #:use-module (gnu services setuid)
#:use-module (gnu services shepherd)
#:use-module (gnu system pam)
#:use-module (gnu system setuid)
diff --git a/gnu/system.scm b/gnu/system.scm
index 354f58f55b..5f834dd8b6 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -67,6 +67,7 @@ (define-module (gnu system)
#:use-module (gnu packages text-editors)
#:use-module (gnu packages wget)
#:use-module (gnu services)
+ #:use-module (gnu services setuid)
#:use-module (gnu services shepherd)
#:use-module (gnu services base)
#:use-module (gnu bootloader)
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index a035a92e25..4c62e130de 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -24,6 +24,7 @@ (define-module (gnu system pam)
#:use-module (guix gexp)
#:use-module (guix i18n)
#:use-module (gnu services)
+ #:use-module (gnu services setuid)
#:use-module (gnu services shepherd)
#:use-module (gnu system setuid)
#:use-module (ice-9 match)
@@ -443,7 +444,9 @@ (define pam-root-service-type
program may authenticate users or what it should do when opening a new
session.")))
-(define* (pam-root-service base #:key (transformers '()) (shepherd-requirements '()))
+(define* (pam-root-service base
+ #:key (transformers '())
+ (shepherd-requirements '(setuid-programs)))
"The \"root\" PAM service, which collects <pam-service> instance and turns
them into a /etc/pam.d directory, including the <pam-service> listed in BASE.
TRANSFORM is a procedure that takes a <pam-service> and returns a
base-commit: 940665301de4effd065d24c167f619286f2adf4c
--
2.40.1
guix-patches@HIDDEN:bug#62726; Package guix-patches.
Full text available.Received: (at 62726) by debbugs.gnu.org; 7 Jun 2023 12:58:39 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed Jun 07 08:58:39 2023 Received: from localhost ([127.0.0.1]:53753 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1q6skI-0006bK-TU for submit <at> debbugs.gnu.org; Wed, 07 Jun 2023 08:58:39 -0400 Received: from coleridge.kublai.com ([166.84.7.167]:57387 helo=mail.spork.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <bjc@HIDDEN>) id 1q6skH-0006bD-LL for 62726 <at> debbugs.gnu.org; Wed, 07 Jun 2023 08:58:38 -0400 Received: from psyduck (unknown [24.184.233.231]) by mail.spork.org (Postfix) with ESMTPSA id 39CB4DA86 for <62726 <at> debbugs.gnu.org>; Wed, 7 Jun 2023 08:58:37 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=spork.org; s=dkim; t=1686142717; bh=+buRmY39DNXyxDlBgP020I4kdb/bvX6g7hZEbbeojqQ=; h=From:To:Subject:In-Reply-To:References:Date; b=Kn5qZ0362VJpjt2NQIfRyzaSa0hp0wxU8BAz71CMTDoBeNevmYujF6VMNVRtPeW/S +fdnVOxDQszVRF96tg9rlm0zpT15WLLT2nOIEZB0ttnP2L3ATpLgZyvwx3xn7acK75 /ctpDh16vsnYIAK5xBFDUN8wJbA6DKesKsH5dxgU= From: Brian Cully <bjc@HIDDEN> To: 62726 <at> debbugs.gnu.org Subject: Re: bug#62726: [PATCH] services: Activate `setuid-program-service-type' in shepherd. In-Reply-To: <c8454cf94417a48931f2583c9af14df83820d354.1680966995.git.bjc@HIDDEN> (Brian Cully's message of "Sat, 8 Apr 2023 11:16:35 -0400") References: <874jpq4dfi.fsf@HIDDEN> <c8454cf94417a48931f2583c9af14df83820d354.1680966995.git.bjc@HIDDEN> Date: Wed, 07 Jun 2023 08:58:16 -0400 Message-ID: <874jnja0pj.fsf_-_@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 62726 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) I've made some changes to this patch to address some issues: 1) I've added =E2=80=98setuid-programs=E2=80=99 as a requirement to various= Shepherd services which need it, such as dbus and pam. I've also added it to =E2=80=98user-processes=E2=80=99 as a requirement to catch things we don't = specify explicitly. 2) I've removed (@ (gnu services) setuid-programs), rather than marking it deprecated. Since the variable name (setuid-programs-service-type) hasn't changed, normal deprecation doesn't work anyway, and just leads to annoying double-import warnings. This probably deserves an entry in =E2=80=98guix pull --news=E2=80=99, beca= use, as a Shepherd service it can now be used by other Shepherd services, and the module path has changed, which will cause errors for existing system configurations which use =E2=80=98setuid-programs-service-type=E2=80=99. I'= m not sure the best way to go about adding it, though, or if I should let a committer do it.
guix-patches@HIDDEN:bug#62726; Package guix-patches.
Full text available.Brian Cully <bjc@HIDDEN>
to control <at> debbugs.gnu.org.
Full text available.Leo Famulari <leo@HIDDEN>
to control <at> debbugs.gnu.org.
Full text available.
Received: (at 62726) by debbugs.gnu.org; 8 Apr 2023 15:16:40 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Apr 08 11:16:39 2023
Received: from localhost ([127.0.0.1]:59317 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1plAIx-0006hs-6G
for submit <at> debbugs.gnu.org; Sat, 08 Apr 2023 11:16:39 -0400
Received: from coleridge.kublai.com ([166.84.7.167]:61860 helo=mail.spork.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <bjc@HIDDEN>) id 1plAIv-0006hi-KX
for 62726 <at> debbugs.gnu.org; Sat, 08 Apr 2023 11:16:38 -0400
Received: from psyduck.jhoto.kublai.com (ool-18b8e9e7.dyn.optonline.net
[24.184.233.231])
by mail.spork.org (Postfix) with ESMTPSA id 70729A86F;
Sat, 8 Apr 2023 11:16:37 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=spork.org; s=dkim;
t=1680966997; bh=EQMMz5hm8clzjPwU1kyvrDlgAD2TtLv5f1zpwcqNZu0=;
h=From:To:Cc:Subject:Date;
b=eIvW8TzpzZzwltsFq2aEjkY33OluBiFPNfdSCiBu101cIkv5s527PKPTzCTTELu6K
2QWeEUzXVYvhAu79B4CvjHXIkMP5y3R4LyO7/fMGH6T96CnTLz3Jbyt1u0zy0PFE9I
3pskbzfLRFSA2ZdPQ1K5zfDZZI7xeOmay88OTgDA=
From: Brian Cully <bjc@HIDDEN>
To: 62726 <at> debbugs.gnu.org
Subject: [PATCH] services: Activate `setuid-program-service-type' in shepherd.
Date: Sat, 8 Apr 2023 11:16:35 -0400
Message-Id: <c8454cf94417a48931f2583c9af14df83820d354.1680966995.git.bjc@HIDDEN>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 62726
Cc: Brian Cully <bjc@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Activate using a one-shot Shepherd service on boot, rather than attaching to
`activation-service-type' to populate `/run/setuid-programs'.
In order to prevent a dependency cycle between (gnu services) and (gnu
services shepherd), introduce a new module (gnu services setuid) and deprecate
the import of `setuid-program-service-type' from (gnu services).
* gnu/local.mk (GNU_SYSTEM_MODULES): add setuid.scm.
* gnu/services.scm (setuid-program-service-type): deprecate.
* gnu/services/setuid.scm: new module.
* gnu/services/dbus.scm (gnu): import (gnu services setuid).
* gnu/services/desktop.scm (gnu): import (gnu services setuid).
* gnu/services/docker.scm (gnu): import (gnu services setuid).
* gnu/services/mail.scm (gnu): import (gnu services setuid).
* gnu/services/xorg.scm (gnu): import (gnu services setuid).
* gnu/system.scm (gnu): import (gnu services setuid).
---
gnu/local.mk | 1 +
gnu/services.scm | 40 +++---------------------------
gnu/services/dbus.scm | 1 +
gnu/services/desktop.scm | 1 +
gnu/services/docker.scm | 1 +
gnu/services/mail.scm | 1 +
gnu/services/setuid.scm | 53 ++++++++++++++++++++++++++++++++++++++++
gnu/services/xorg.scm | 1 +
gnu/system.scm | 1 +
9 files changed, 63 insertions(+), 37 deletions(-)
create mode 100644 gnu/services/setuid.scm
diff --git a/gnu/local.mk b/gnu/local.mk
index b7e19b6bc2..55dae3426a 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -704,6 +704,7 @@ GNU_SYSTEM_MODULES = \
%D%/services/rsync.scm \
%D%/services/samba.scm \
%D%/services/sddm.scm \
+ %D%/services/setuid.scm \
%D%/services/spice.scm \
%D%/services/ssh.scm \
%D%/services/syncthing.scm \
diff --git a/gnu/services.scm b/gnu/services.scm
index d6c7ad0553..f42d4bc15f 100644
--- a/gnu/services.scm
+++ b/gnu/services.scm
@@ -43,7 +43,6 @@ (define-module (gnu services)
#:use-module (gnu packages base)
#:use-module (gnu packages bash)
#:use-module (gnu packages hurd)
- #:use-module (gnu system setuid)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-9)
#:use-module (srfi srfi-9 gnu)
@@ -110,7 +109,7 @@ (define-module (gnu services)
extra-special-file
etc-service-type
etc-directory
- setuid-program-service-type
+ setuid-program-service-type ; deprecated
profile-service-type
firmware-service-type
gc-root-service-type
@@ -811,41 +810,8 @@ (define-deprecated (etc-service files)
FILES must be a list of name/file-like object pairs."
(service etc-service-type files))
-(define (setuid-program->activation-gexp programs)
- "Return an activation gexp for setuid-program from PROGRAMS."
- (let ((programs (map (lambda (program)
- ;; FIXME This is really ugly, I didn't managed to use
- ;; "inherit"
- (let ((program-name (setuid-program-program program))
- (setuid? (setuid-program-setuid? program))
- (setgid? (setuid-program-setgid? program))
- (user (setuid-program-user program))
- (group (setuid-program-group program)) )
- #~(setuid-program
- (setuid? #$setuid?)
- (setgid? #$setgid?)
- (user #$user)
- (group #$group)
- (program #$program-name))))
- programs)))
- (with-imported-modules (source-module-closure
- '((gnu system setuid)))
- #~(begin
- (use-modules (gnu system setuid))
-
- (activate-setuid-programs (list #$@programs))))))
-
-(define setuid-program-service-type
- (service-type (name 'setuid-program)
- (extensions
- (list (service-extension activation-service-type
- setuid-program->activation-gexp)))
- (compose concatenate)
- (extend (lambda (config extensions)
- (append config extensions)))
- (description
- "Populate @file{/run/setuid-programs} with the specified
-executables, making them setuid and/or setgid.")))
+(define-deprecated/public-alias setuid-program-service-type
+ (@ (gnu services setuid) setuid-program-service-type))
(define (packages->profile-entry packages)
"Return a system entry for the profile containing PACKAGES."
diff --git a/gnu/services/dbus.scm b/gnu/services/dbus.scm
index e9c9346f56..dd9f0122b1 100644
--- a/gnu/services/dbus.scm
+++ b/gnu/services/dbus.scm
@@ -21,6 +21,7 @@
(define-module (gnu services dbus)
#:use-module (gnu services)
+ #:use-module (gnu services setuid)
#:use-module (gnu services shepherd)
#:use-module (gnu system setuid)
#:use-module (gnu system shadow)
diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
index adea5b38dd..1ff7abd61e 100644
--- a/gnu/services/desktop.scm
+++ b/gnu/services/desktop.scm
@@ -33,6 +33,7 @@
(define-module (gnu services desktop)
#:use-module (gnu services)
+ #:use-module (gnu services setuid)
#:use-module (gnu services shepherd)
#:use-module (gnu services base)
#:use-module (gnu services dbus)
diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm
index 741bab5a8c..32ed9739bf 100644
--- a/gnu/services/docker.scm
+++ b/gnu/services/docker.scm
@@ -26,6 +26,7 @@ (define-module (gnu services docker)
#:use-module (gnu services configuration)
#:use-module (gnu services base)
#:use-module (gnu services dbus)
+ #:use-module (gnu services setuid)
#:use-module (gnu services shepherd)
#:use-module (gnu system setuid)
#:use-module (gnu system shadow)
diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm
index bf4948dcfb..d6e35a07f8 100644
--- a/gnu/services/mail.scm
+++ b/gnu/services/mail.scm
@@ -27,6 +27,7 @@ (define-module (gnu services mail)
#:use-module (gnu services)
#:use-module (gnu services base)
#:use-module (gnu services configuration)
+ #:use-module (gnu services setuid)
#:use-module (gnu services shepherd)
#:use-module (gnu system pam)
#:use-module (gnu system shadow)
diff --git a/gnu/services/setuid.scm b/gnu/services/setuid.scm
new file mode 100644
index 0000000000..4e46510733
--- /dev/null
+++ b/gnu/services/setuid.scm
@@ -0,0 +1,53 @@
+(define-module (gnu services setuid)
+ #:use-module (gnu services)
+ #:use-module (gnu services shepherd)
+ #:use-module (gnu system setuid)
+ #:use-module (guix gexp)
+ #:use-module (guix modules)
+ #:use-module (srfi srfi-1)
+ #:export (setuid-program-service-type))
+
+(define (setuid-programs->shepherd-service programs)
+ (let ((programs (map (lambda (program)
+ ;; FIXME This is really ugly, I didn't managed to use
+ ;; "inherit"
+ (let ((program-name (setuid-program-program program))
+ (setuid? (setuid-program-setuid? program))
+ (setgid? (setuid-program-setgid? program))
+ (user (setuid-program-user program))
+ (group (setuid-program-group program)) )
+ #~(setuid-program
+ (setuid? #$setuid?)
+ (setgid? #$setgid?)
+ (user #$user)
+ (group #$group)
+ (program #$program-name))))
+ programs)))
+ (with-imported-modules (source-module-closure
+ '((gnu system setuid)
+ (gnu build activation)))
+ (list (shepherd-service
+ (documentation "Populate @file{/run/setuid-programs}.")
+ (provision '(setuid-programs))
+ ;; TODO: actually need to require account service. maybe user-homes
+ ;; as a proxy?
+ (requirement '(file-systems))
+ (one-shot? #t)
+ (modules '((gnu system setuid)
+ (gnu build activation)))
+ (start #~(lambda ()
+ (activate-setuid-programs (list #$@programs))
+ #t)))))))
+
+(define setuid-program-service-type
+ (service-type (name 'setuid-program)
+ (extensions
+ (list
+ (service-extension shepherd-root-service-type
+ setuid-programs->shepherd-service)))
+ (compose concatenate)
+ (extend append)
+ (default-value '())
+ (description
+ "Populate @file{/run/setuid-programs} with the specified
+executables, making them setuid and/or setgid.")))
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index 7295a45b59..9ed1977f66 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -34,6 +34,7 @@ (define-module (gnu services xorg)
#:use-module (gnu artwork)
#:use-module (gnu services)
#:use-module (gnu services configuration)
+ #:use-module (gnu services setuid)
#:use-module (gnu services shepherd)
#:use-module (gnu system pam)
#:use-module (gnu system setuid)
diff --git a/gnu/system.scm b/gnu/system.scm
index c17c6e4e98..8faa3b4672 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -67,6 +67,7 @@ (define-module (gnu system)
#:use-module (gnu packages text-editors)
#:use-module (gnu packages wget)
#:use-module (gnu services)
+ #:use-module (gnu services setuid)
#:use-module (gnu services shepherd)
#:use-module (gnu services base)
#:use-module (gnu bootloader)
--
2.39.2
guix-patches@HIDDEN:bug#62726; Package guix-patches.
Full text available.Received: (at submit) by debbugs.gnu.org; 8 Apr 2023 15:11:00 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Apr 08 11:11:00 2023 Received: from localhost ([127.0.0.1]:59307 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1plADU-0006YY-6V for submit <at> debbugs.gnu.org; Sat, 08 Apr 2023 11:11:00 -0400 Received: from lists.gnu.org ([209.51.188.17]:44504) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <bjc@HIDDEN>) id 1plADR-0006YQ-UD for submit <at> debbugs.gnu.org; Sat, 08 Apr 2023 11:10:58 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <bjc@HIDDEN>) id 1plADR-0003Nq-Co for guix-patches@HIDDEN; Sat, 08 Apr 2023 11:10:57 -0400 Received: from coleridge.kublai.com ([166.84.7.167] helo=mail.spork.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <bjc@HIDDEN>) id 1plADQ-000589-4A for guix-patches@HIDDEN; Sat, 08 Apr 2023 11:10:57 -0400 Received: from psyduck (ool-18b8e9e7.dyn.optonline.net [24.184.233.231]) by mail.spork.org (Postfix) with ESMTPSA id 22718A9B1 for <guix-patches@HIDDEN>; Sat, 8 Apr 2023 11:10:55 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=spork.org; s=dkim; t=1680966655; bh=sHcQ9mA9MFL52kfxADaw+YggF0Im0NLBN+kfhvzNzfw=; h=From:To:Subject:Date; b=ov6OMkTdzhIKMJEU/lxZgSx6cE5YVPCcIUGqsDFCX7dfhrDovqNhdjvcGEaMsi7OF 4fgFSFvxKDWnGtdpUH6N8Jpb2RcLo1jZcRWb4qIT1dIJeASXjtq6LoKvMbiTtK/kxk gnR0lgvO1KJKl748JW0JNpfZ11MZaaOPwOIn4nCY= User-agent: mu4e 1.10.0; emacs 28.2 From: Brian Cully <bjc@HIDDEN> To: guix-patches@HIDDEN Subject: services: Activate `setuid-program-service-type' in shepherd. Date: Sat, 08 Apr 2023 11:09:43 -0400 Message-ID: <874jpq4dfi.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; format=flowed Received-SPF: pass client-ip=166.84.7.167; envelope-from=bjc@HIDDEN; helo=mail.spork.org X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -2.3 (--) This patch moves setuid activation to a one-shot shepherd service, and fixes #62725. -- -bjc
Brian Cully <bjc@HIDDEN>:guix-patches@HIDDEN.
Full text available.guix-patches@HIDDEN:bug#62726; Package guix-patches.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.