system: Add privileged-programs to <operating-system>.

* gnu/system.scm (<operating-system>): Add new privileged-programs field, that defaults to… (%default-privileged-programs): …this new variable, renamed from… (%setuid-programs): …this, which is now defined as the empty list. * doc/guix.texi (Setuid Programs): Rename this… (Privileged Programs): …to this. Adjust all refs. Update all mentions of ‘setuid’ (whether in prose, variable names, or code samples) to use the new ‘privilege[d]’ terminology instead. (operating-system Reference, X Window, Invoking guix system) (Service Reference): Adjust likewise.
2024-11-07 07:26:13 -05:00 · 2022-10-23 02:00:01 +02:00 · 2022-10-23 02:00:01 +02:00 · 4e58dfee6c
commit 4e58dfee6c
parent beb37ea4ad
4 changed files with 60 additions and 45 deletions
--- a/doc/guix.texi
+++ b/doc/guix.texi
@ -370,7 +370,7 @@ System Configuration
 * Keyboard Layout::             How the system interprets key strokes.
 * Locales::                     Language and cultural convention settings.
 * Services::                    Specifying system services.
-* Setuid Programs::             Programs running with elevated privileges.
+* Privileged Programs::         Programs running with elevated privileges.
 * X.509 Certificates::          Authenticating HTTPS servers.
 * Name Service Switch::         Configuring libc's name service switch.
 * Initial RAM Disk::            Linux-Libre bootstrapping.
@ -16965,7 +16965,7 @@ instance to support new system services.
 * Keyboard Layout::             How the system interprets key strokes.
 * Locales::                     Language and cultural convention settings.
 * Services::                    Specifying system services.
-* Setuid Programs::             Programs running with elevated privileges.
+* Privileged Programs::         Programs running with elevated privileges.
 * X.509 Certificates::          Authenticating HTTPS servers.
 * Name Service Switch::         Configuring libc's name service switch.
 * Initial RAM Disk::            Linux-Libre bootstrapping.
@ -17689,9 +17689,9 @@ touch this field.
 Linux @dfn{pluggable authentication module} (PAM) services.
@c FIXME: Add xref to PAM services section.

-@item @code{setuid-programs} (default: @code{%setuid-programs})
-List of @code{<setuid-program>}.  @xref{Setuid Programs}, for more
-information.
+@item @code{privileged-programs} (default: @code{%default-privileged-programs})
+List of @code{<privileged-program>}.  @xref{Privileged Programs}, for
+more information.

@item @code{sudoers-file} (default: @code{%sudoers-specification})
@cindex sudoers file
@ -23700,10 +23700,10 @@ environment, you are unlikely to need this procedure.

@defvar screen-locker-service-type
 Type for a service that adds a package for a screen locker or screen
-saver to the set of setuid programs and/or add a PAM entry for it.  The
+saver to the set of privileged programs and/or add a PAM entry for it.  The
 value for this service is a @code{<screen-locker-configuration>} object.

-While the default behavior is to setup both a setuid program and PAM
+While the default behavior is to setup both a privileged program and PAM
 entry, these two methods are redundant.  Screen locker programs may not
 execute when PAM is configured and @code{setuid} is set on their
 executable.  In this case, @code{using-setuid?} can be set to @code{#f}.
@ -27877,7 +27877,7 @@ remote servers.  Run @command{man smtpd.conf} for more information.
 Make the following commands setgid to @code{smtpq} so they can be
 executed: @command{smtpctl}, @command{sendmail}, @command{send-mail},
@command{makemap}, @command{mailq}, and @command{newaliases}.
-@xref{Setuid Programs}, for more information on setgid programs.
+@xref{Privileged Programs}, for more information on setgid programs.
@end table
@end deftp

@ -40848,8 +40848,8 @@ create and run application bundles (aka. ``containers'').  The value for this
 service is the Singularity package to use.

 The service does not install a daemon; instead, it installs helper programs as
-setuid-root (@pxref{Setuid Programs}) such that unprivileged users can invoke
-@command{singularity run} and similar commands.
+setuid-root (@pxref{Privileged Programs}) such that unprivileged users can
+invoke @command{singularity run} and similar commands.
@end defvar

@cindex OCI-backed, Shepherd services
@ -41649,9 +41649,10 @@ invokation.

@c %end of fragment

-@node Setuid Programs
-@section Setuid Programs
+@node Privileged Programs
+@section Privileged Programs

+@cindex privileged programs
@cindex setuid programs
@cindex setgid programs
 Some programs need to run with elevated privileges, even when they are
@ -41664,46 +41665,48 @@ obvious security reasons.  To address that, @command{passwd} should be
 (@pxref{How Change Persona,,, libc, The GNU C Library Reference Manual},
 for more info about the setuid mechanism).

-The store itself @emph{cannot} contain setuid programs: that would be a
-security issue since any user on the system can write derivations that
+The store itself @emph{cannot} contain privileged programs: that would be
+a security issue since any user on the system can write derivations that
 populate the store (@pxref{The Store}).  Thus, a different mechanism is
-used: instead of changing the setuid or setgid bits directly on files that
-are in the store, we let the system administrator @emph{declare} which
+used: instead of directly granting permissions to files that are in
+the store, we let the system administrator @emph{declare} which
 programs should be entrusted with these additional privileges.

-The @code{setuid-programs} field of an @code{operating-system}
-declaration contains a list of @code{<setuid-program>} denoting the
+The @code{privileged-programs} field of an @code{operating-system}
+declaration contains a list of @code{<privileged-program>} denoting the
 names of programs to have a setuid or setgid bit set (@pxref{Using the
 Configuration System}).  For instance, the @command{mount.nfs} program,
 which is part of the nfs-utils package, with a setuid root can be
 designated like this:

@lisp
-(setuid-program
-  (program (file-append nfs-utils "/sbin/mount.nfs")))
+(privileged-program
+  (program (file-append nfs-utils "/sbin/mount.nfs"))
+  (setuid? #t))
@end lisp

 And then, to make @command{mount.nfs} setuid on your system, add the
 previous example to your operating system declaration by appending it to
-@code{%setuid-programs} like this:
+@code{%default-privileged-programs} like this:

@lisp
 (operating-system
  ;; Some fields omitted...
-  (setuid-programs
-    (append (list (setuid-program
-                    (program (file-append nfs-utils "/sbin/mount.nfs"))))
-            %setuid-programs)))
+  (privileged-programs
+    (append (list (privileged-program
+                    (program (file-append nfs-utils "/sbin/mount.nfs"))
+                    (setuid? #t))
+            %default-privileged-programs)))
@end lisp

-@deftp {Data Type} setuid-program
-This data type represents a program with a setuid or setgid bit set.
+@deftp {Data Type} privileged-program
+This data type represents a program with special privileges, such as setuid

@table @asis
@item @code{program}
-A file-like object having its setuid and/or setgid bit set.
+A file-like object to which all given privileges should apply.

-@item @code{setuid?} (default: @code{#t})
+@item @code{setuid?} (default: @code{#f})
 Whether to set user setuid bit.

@item @code{setgid?} (default: @code{#f})
@ -41720,18 +41723,18 @@ defaults to root.
@end table
@end deftp

-A default set of setuid programs is defined by the
-@code{%setuid-programs} variable of the @code{(gnu system)} module.
+A default set of privileged programs is defined by the
+@code{%default-privileged-programs} variable of the @code{(gnu system)} module.

-@defvar %setuid-programs
-A list of @code{<setuid-program>} denoting common programs that are
-setuid-root.
+@defvar {Scheme Variable} %default-privileged-programs
+A list of @code{<privileged-program>} denoting common programs with
+elevated privileges.

 The list includes commands such as @command{passwd}, @command{ping},
@command{su}, and @command{sudo}.
@end defvar

-Under the hood, the actual setuid programs are created in the
+Under the hood, the actual privileged programs are created in the
@file{/run/privileged/bin} directory at system activation time.  The
 files in this directory refer to the ``real'' binaries, which are in the
 store.
@ -42674,7 +42677,7 @@ once @command{reconfigure} has completed.
@end quotation

 This effects all the configuration specified in @var{file}: user
-accounts, system services, global package list, setuid programs, etc.
+accounts, system services, global package list, privileged programs, etc.
 The command starts system services specified in @var{file} that are not
 currently running; if a service is currently running this command will
 arrange for it to be upgraded the next time it is stopped (e.g.@: by
@ -44047,10 +44050,10 @@ In this example, the effect would be to add an @file{/etc/issue} file
 pointing to the given file.
@end defvar

-@defvar setuid-program-service-type
-Type for the ``setuid-program service''.  This service collects lists of
+@defvar privileged-program-service-type
+Type for the ``privileged-program service''.  This service collects lists of
 executable file names, passed as gexps, and adds them to the set of
-setuid and setgid programs on the system (@pxref{Setuid Programs}).
+privileged programs on the system (@pxref{Privileged Programs}).
@end defvar

@defvar profile-service-type
--- a/gnu/packages/crypto.scm
+++ b/gnu/packages/crypto.scm
@ -504,7 +504,7 @@ (define-public tomb
     `(#:make-flags (list (string-append "PREFIX=" (assoc-ref %outputs "out")))
       ;; The "sudo" input is needed only to satisfy dependency checks in the
       ;; 'check' phase.  The "sudo" used at runtime should come from the
-       ;; system's setuid-programs, so ensure no reference is kept.
+       ;; system's privileged-programs, so ensure no reference is kept.
       #:disallowed-references (,sudo)
       ;; TODO: Build and install gtk and qt trays
       #:phases
--- a/gnu/services.scm
+++ b/gnu/services.scm
@ -47,7 +47,6 @@ (define-module (gnu services)
  #:use-module (gnu packages bash)
  #:use-module (gnu packages hurd)
  #:use-module (gnu system privilege)
-  #:use-module (gnu system setuid)
  #:use-module (srfi srfi-1)
  #:use-module (srfi srfi-9)
  #:use-module (srfi srfi-9 gnu)
--- a/gnu/system.scm
+++ b/gnu/system.scm
@ -77,6 +77,7 @@ (define-module (gnu system)
  #:use-module (gnu system locale)
  #:use-module (gnu system pam)
  #:use-module (gnu system linux-initrd)
+  #:use-module (gnu system privilege)
  #:use-module (gnu system setuid)
  #:use-module (gnu system uuid)
  #:use-module (gnu system file-systems)
@ -130,6 +131,7 @@ (define-module (gnu system)
            operating-system-keyboard-layout
            operating-system-name-service-switch
            operating-system-pam-services
+            operating-system-privileged-programs
            operating-system-setuid-programs
            operating-system-skeletons
            operating-system-sudoers-file
@ -174,6 +176,7 @@ (define-module (gnu system)

            local-host-aliases                    ;deprecated
            %root-account
+            %default-privileged-programs
            %setuid-programs
            %sudoers-specification
            %base-packages
@ -301,7 +304,10 @@ (define-record-type* <operating-system> operating-system

  (pam-services operating-system-pam-services     ; list of PAM services
                (default (base-pam-services)))
+  (privileged-programs operating-system-privileged-programs ; list of <privileged-program>
+                       (default %default-privileged-programs))
  (setuid-programs operating-system-setuid-programs
+                   ;; For backwards compatibility; will be removed.
                   (default %setuid-programs))    ; list of <setuid-program>

  (sudoers-file operating-system-sudoers-file     ; file-like
@ -821,7 +827,8 @@ (define known-fs
           (service host-name-service-type host-name)
           procs root-fs
           (service privileged-program-service-type
-                    (operating-system-setuid-programs os))
+                    (append (operating-system-privileged-programs os)
+                            (operating-system-setuid-programs os)))
           (service profile-service-type
                    (operating-system-packages os))
           boot-fs non-boot-fs
@ -860,7 +867,8 @@ (define (hurd-default-essential-services os)
              (service hosts-service-type
                       (local-host-entries host-name)))
          (service privileged-program-service-type
-                   (operating-system-setuid-programs os))
+                   (append (operating-system-privileged-programs os)
+                           (operating-system-setuid-programs os)))
          (service profile-service-type (operating-system-packages os)))))

 (define* (operating-system-services os)
@ -1239,8 +1247,7 @@ (define (operating-system-environment-variables os)
    ;; when /etc/machine-id is missing.  Make sure these warnings are non-fatal.
    ("DBUS_FATAL_WARNINGS" . "0")))

-(define %setuid-programs
-  ;; Default set of setuid-root programs.
+(define %default-privileged-programs
  (let ((shadow (@ (gnu packages admin) shadow)))
    (map file-like->setuid-program
         (list (file-append shadow "/bin/passwd")
@ -1262,6 +1269,12 @@ (define %setuid-programs
               (file-append util-linux "/bin/mount")
               (file-append util-linux "/bin/umount")))))

+(define %setuid-programs
+  ;; Do not add to this list or use it in new code!  It's defined only to ease
+  ;; transition to %default-privileged-programs and will be removed.  Some rare
+  ;; use cases already break, such as the obvious (remove … %setuid-programs).
+  '())
+
 (define %sudoers-specification
  ;; Default /etc/sudoers contents: 'root' and all members of the 'wheel'
  ;; group can do anything.  See