ryan77627/guix
1
0
Fork 0
mirror of https://git.in.rschanz.org/ryan77627/guix.git synced 2024-11-07 07:26:13 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

gnu: Replace (almost) all uses of /run/setuid-programs.

Browse source 
…those good for master, anyway.

* gnu/packages/admin.scm (ktsuss, opendoas, hosts)
[arguments]: Replace /run/setuid-programs with /run/privileged/bin.
* gnu/packages/containers.scm (slirp4netns)[arguments]: Likewise.
* gnu/packages/debian.scm (pbuilder)[arguments]: Likewise.
* gnu/packages/disk.scm (udevil)[arguments]: Likewise.
* gnu/packages/enlightenment.scm (efl, enlightenment)
[arguments]: Likewise.
* gnu/packages/gnome.scm (gdm, gnome-control-center)
[arguments]: Likewise.
* gnu/packages/linux.scm (singularity)[arguments]: Likewise.
* gnu/packages/lxde.scm (spacefm)[arguments]: Likewise.
* gnu/packages/monitoring.scm (zabbix-agentd)[arguments]: Likewise.
* gnu/packages/virtualization.scm (ganeti)[arguments]: Likewise.
* gnu/packages/xdisorg.scm (xsecurelock)[arguments]: Likewise.
* gnu/services/dbus.scm (dbus-configuration-directory): Likewise.
* gnu/services/ganeti.scm (%default-ganeti-environment-variables):
Likewise.
* gnu/services/monitoring.scm (zabbix-agent-shepherd-service): Likewise.
* gnu/tests/ldap.scm (marionette): Likewise.
* gnu/tests/monitoring.scm (os): Likewise.
This commit is contained in:
Tobias Geerinckx-Rice 2022-05-29 02:01:19 +02:00
parent e364d1a494
commit 902b15b24d
No known key found for this signature in database
GPG key ID: 0DB0FF884F556D79
17 changed files with 39 additions and 40 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
gnu/machine/ssh.scm
View file

@ -178,6 +178,8 @@ (define (machine-become-command machine)
(if (string= "root" (machine-ssh-configuration-user (if (string= "root" (machine-ssh-configuration-user
(machine-configuration machine))) (machine-configuration machine)))
'() '()
;; Use the old setuid-programs location until the remote is likely to
;; have the new /run/privileged one in place.
'("/run/setuid-programs/sudo" "-n" "--"))) '("/run/setuid-programs/sudo" "-n" "--")))
(define (managed-host-remote-eval machine exp) (define (managed-host-remote-eval machine exp)

6
gnu/packages/admin.scm
View file

@ -220,7 +220,7 @@ (define-public ktsuss
(lambda _ (lambda _
(substitute* "configure.ac" (substitute* "configure.ac"
(("supath=`which su 2>/dev/null`") (("supath=`which su 2>/dev/null`")
"supath=/run/setuid-programs/su")) "supath=/run/privileged/bin/su"))
#t))))) #t)))))
(native-inputs (native-inputs
(list autoconf automake libtool pkg-config)) (list autoconf automake libtool pkg-config))
@ -2156,7 +2156,7 @@ (define-public opendoas
(substitute* "doas.c" (substitute* "doas.c"
(("safepath =" match) (("safepath =" match)
(string-append match " \"" (string-append match " \""
"/run/setuid-programs:" "/run/privileged/bin:"
"/run/current-system/profile/bin:" "/run/current-system/profile/bin:"
"/run/current-system/profile/sbin:" "/run/current-system/profile/sbin:"
"\" "))))) "\" ")))))
@ -5090,7 +5090,7 @@ (define-public hosts
":" (assoc-ref %build-inputs "grep") "/bin" ":" (assoc-ref %build-inputs "grep") "/bin"
":" (assoc-ref %build-inputs "ncurses") "/bin" ":" (assoc-ref %build-inputs "ncurses") "/bin"
":" (assoc-ref %build-inputs "sed") "/bin" ":" (assoc-ref %build-inputs "sed") "/bin"
":" "/run/setuid-programs" ":" "/run/privileged/bin"
":" (getenv "PATH"))) ":" (getenv "PATH")))
(substitute* "hosts" (substitute* "hosts"
(("#!/usr/bin/env bash") (("#!/usr/bin/env bash")

2
gnu/packages/containers.scm
View file

@ -274,7 +274,7 @@ (define-public slirp4netns
(add-after 'unpack 'fix-hardcoded-paths (add-after 'unpack 'fix-hardcoded-paths
(lambda _ (lambda _
(substitute* (find-files "tests" "\\.sh") (substitute* (find-files "tests" "\\.sh")
(("ping") "/run/setuid-programs/ping"))))))) (("ping") "/run/privileged/bin/ping")))))))
(inputs (inputs
(list glib (list glib
libcap libcap

4
gnu/packages/debian.scm
View file

@ -725,8 +725,8 @@ (define-public pbuilder
(lambda () (lambda ()
(format #t "# A couple of presets to make this work more smoothly.~@ (format #t "# A couple of presets to make this work more smoothly.~@
MIRRORSITE=\"http://deb.debian.org/debian\"~@ MIRRORSITE=\"http://deb.debian.org/debian\"~@
if [ -r /run/setuid-programs/sudo ]; then~@ if [ -r /run/privileged/bin/sudo ]; then~@
PBUILDERROOTCMD=\"/run/setuid-programs/sudo -E\"~@ PBUILDERROOTCMD=\"/run/privileged/bin/sudo -E\"~@
fi~@ fi~@
PBUILDERSATISFYDEPENDSCMD=\"~a/lib/pbuilder/pbuilder-satisfydepends-apt\"~%" PBUILDERSATISFYDEPENDSCMD=\"~a/lib/pbuilder/pbuilder-satisfydepends-apt\"~%"
#$output))))) #$output)))))

14
gnu/packages/disk.scm
View file

@ -212,10 +212,10 @@ (define-public udevil
;; udevil expects these programs to be run with uid set as root. ;; udevil expects these programs to be run with uid set as root.
;; user has to manually add these programs to setuid-programs. ;; user has to manually add these programs to setuid-programs.
;; mount and umount are default setuid-programs in guix system. ;; mount and umount are default setuid-programs in guix system.
"--with-mount-prog=/run/setuid-programs/mount" "--with-mount-prog=/run/privileged/bin/mount"
"--with-umount-prog=/run/setuid-programs/umount" "--with-umount-prog=/run/privileged/bin/umount"
"--with-losetup-prog=/run/setuid-programs/losetup" "--with-losetup-prog=/run/privileged/bin/losetup"
"--with-setfacl-prog=/run/setuid-programs/setfacl") "--with-setfacl-prog=/run/privileged/bin/setfacl")
#:phases #:phases
(modify-phases %standard-phases (modify-phases %standard-phases
(add-after 'unpack 'remove-root-reference (add-after 'unpack 'remove-root-reference
@ -226,12 +226,12 @@ (define-public udevil
(add-after 'unpack 'patch-udevil-reference (add-after 'unpack 'patch-udevil-reference
;; udevil expects itself to be run with uid set as root. ;; udevil expects itself to be run with uid set as root.
;; devmon also expects udevil to be run with uid set as root. ;; devmon also expects udevil to be run with uid set as root.
;; user has to manually add udevil to setuid-programs. ;; user has to manually add udevil to privileged-programs.
(lambda _ (lambda _
(substitute* "src/udevil.c" (substitute* "src/udevil.c"
(("/usr/bin/udevil") "/run/setuid-programs/udevil")) (("/usr/bin/udevil") "/run/privileged/bin/udevil"))
(substitute* "src/devmon" (substitute* "src/devmon"
(("`which udevil 2>/dev/null`") "/run/setuid-programs/udevil")) (("`which udevil 2>/dev/null`") "/run/privileged/bin/udevil"))
#t))))) #t)))))
(native-inputs (native-inputs
(list intltool pkg-config)) (list intltool pkg-config))

10
gnu/packages/enlightenment.scm
View file

@ -149,8 +149,8 @@ (define-public efl
"-Dbuild-examples=false" "-Dbuild-examples=false"
"-Decore-imf-loaders-disabler=scim" "-Decore-imf-loaders-disabler=scim"
"-Dglib=true" "-Dglib=true"
"-Dmount-path=/run/setuid-programs/mount" "-Dmount-path=/run/privileged/bin/mount"
"-Dunmount-path=/run/setuid-programs/umount" "-Dunmount-path=/run/privileged/bin/umount"
"-Dnetwork-backend=connman" "-Dnetwork-backend=connman"
,,@(if (member (%current-system) ,,@(if (member (%current-system)
(package-transitive-supported-systems luajit)) (package-transitive-supported-systems luajit))
@ -338,7 +338,7 @@ (define-public enlightenment
(substitute* '("src/bin/e_sys_main.c" (substitute* '("src/bin/e_sys_main.c"
"src/bin/e_util_suid.h") "src/bin/e_util_suid.h")
(("PATH=/bin:/usr/bin:/sbin:/usr/sbin") (("PATH=/bin:/usr/bin:/sbin:/usr/sbin")
(string-append "PATH=/run/setuid-programs:" (string-append "PATH=/run/privileged/bin:"
"/run/current-system/profile/bin:" "/run/current-system/profile/bin:"
"/run/current-system/profile/sbin"))) "/run/current-system/profile/sbin")))
(substitute* "src/modules/everything/evry_plug_calc.c" (substitute* "src/modules/everything/evry_plug_calc.c"
@ -347,8 +347,8 @@ (define-public enlightenment
(("libddcutil\\.so\\.?" libddcutil) (("libddcutil\\.so\\.?" libddcutil)
(string-append ddcutil "/lib/" libddcutil))) (string-append ddcutil "/lib/" libddcutil)))
(substitute* "data/etc/meson.build" (substitute* "data/etc/meson.build"
(("/bin/mount") "/run/setuid-programs/mount") (("/bin/mount") "/run/privileged/bin/mount")
(("/bin/umount") "/run/setuid-programs/umount") (("/bin/umount") "/run/privileged/bin/umount")
(("/usr/bin/eject") "/run/current-system/profile/bin/eject")) (("/usr/bin/eject") "/run/current-system/profile/bin/eject"))
(substitute* "src/bin/system/e_system_power.c" (substitute* "src/bin/system/e_system_power.c"
(("systemctl") "loginctl")))))))) (("systemctl") "loginctl"))))))))

2
gnu/packages/gnome.scm
View file

@ -8984,7 +8984,7 @@ (define-public gdm
"--localstatedir=/var" "--localstatedir=/var"
(string-append "-Ddefault-path=" (string-append "-Ddefault-path="
(string-join '("/run/setuid-programs" (string-join '("/run/privileged/bin"
"/run/current-system/profile/bin" "/run/current-system/profile/bin"
"/run/current-system/profile/sbin") "/run/current-system/profile/sbin")
":")) ":"))

2
gnu/packages/linux.scm
View file

@ -5386,7 +5386,7 @@ (define-public singularity
(substitute* (find-files "libexec/cli" "\\.exec$") (substitute* (find-files "libexec/cli" "\\.exec$")
(("\\$SINGULARITY_libexecdir/singularity/bin/([a-z]+)-suid" (("\\$SINGULARITY_libexecdir/singularity/bin/([a-z]+)-suid"
_ program) _ program)
(string-append "/run/setuid-programs/singularity-" (string-append "/run/privileged/bin/singularity-"
program "-helper"))) program "-helper")))
;; These squashfs mount options are apparently no longer ;; These squashfs mount options are apparently no longer

19
gnu/packages/lxde.scm
View file

@ -372,26 +372,23 @@ (define-public spacefm
(substitute* '("mime-type/mime-type.c" "ptk/ptk-file-menu.c") (substitute* '("mime-type/mime-type.c" "ptk/ptk-file-menu.c")
(("/usr(/local)?/share/mime") mime))) (("/usr(/local)?/share/mime") mime)))
#t))) #t)))
(add-after 'patch-mime-dirs 'patch-setuid-progs (add-after 'patch-mime-dirs 'patch-privileged-programs
(lambda _ (lambda _
(let* ((su "/run/setuid-programs/su") (let ((privileged (lambda (command)
(mount "/run/setuid-programs/mount") (string-append "/run/privileged/bin/"
(umount "/run/setuid-programs/umount") command))))
(udevil "/run/setuid-programs/udevil"))
(with-directory-excursion "src" (with-directory-excursion "src"
(substitute* '("settings.c" "settings.h" "vfs/vfs-file-task.c" (substitute* '("settings.c" "settings.h" "vfs/vfs-file-task.c"
"vfs/vfs-volume-hal.c" "../data/ui/prefdlg.ui" "vfs/vfs-volume-hal.c" "../data/ui/prefdlg.ui"
"../data/ui/prefdlg2.ui") "../data/ui/prefdlg2.ui")
(("(/usr)?/bin/su") su) (("(/usr)?/s?bin/(mount|umount|su|udevil)" _ _ command)
(("/(bin|sbin)/mount") mount) (privileged command))))
(("/(bin|sbin)/umount") umount)
(("/usr/bin/udevil") udevil)))
#t))) #t)))
(add-after 'patch-setuid-progs 'patch-spacefm-conf (add-after 'patch-privileged-programs 'patch-spacefm.conf
(lambda* (#:key inputs #:allow-other-keys) (lambda* (#:key inputs #:allow-other-keys)
(substitute* "etc/spacefm.conf" (substitute* "etc/spacefm.conf"
(("#terminal_su=/bin/su") (("#terminal_su=/bin/su")
"terminal_su=/run/setuid-programs/su") "terminal_su=/run/privileged/bin/su")
(("#graphical_su=/usr/bin/gksu") (("#graphical_su=/usr/bin/gksu")
(string-append "graphical_su=" (string-append "graphical_su="
(search-input-file inputs "/bin/ktsuss"))))))) (search-input-file inputs "/bin/ktsuss")))))))

2
gnu/packages/monitoring.scm
View file

@ -186,7 +186,7 @@ (define-public zabbix-agentd
"src/zabbix_server/server.c") "src/zabbix_server/server.c")
;; 'fping' must be setuid, so look for it in the usual location. ;; 'fping' must be setuid, so look for it in the usual location.
(("/usr/sbin/fping6?") (("/usr/sbin/fping6?")
"/run/setuid-programs/fping"))))) "/run/privileged/bin/fping")))))
(build-system gnu-build-system) (build-system gnu-build-system)
(arguments (arguments
(list #:configure-flags (list #:configure-flags

2
gnu/packages/virtualization.scm
View file

@ -846,7 +846,7 @@ (define-public ganeti
;; hard coded PATH. Patch so it works on Guix System. ;; hard coded PATH. Patch so it works on Guix System.
(substitute* "src/Ganeti/Constants.hs" (substitute* "src/Ganeti/Constants.hs"
(("/sbin:/bin:/usr/sbin:/usr/bin") (("/sbin:/bin:/usr/sbin:/usr/bin")
"/run/setuid-programs:/run/current-system/profile/sbin:\ "/run/privileged/bin:/run/current-system/profile/sbin:\
/run/current-system/profile/bin")))) /run/current-system/profile/bin"))))
(add-after 'bootstrap 'patch-sphinx-version-detection (add-after 'bootstrap 'patch-sphinx-version-detection
(lambda _ (lambda _

2
gnu/packages/xdisorg.scm
View file

@ -2710,7 +2710,7 @@ (define-public xsecurelock
'(#:configure-flags '(#:configure-flags
'("--with-pam-service-name=login" '("--with-pam-service-name=login"
"--with-xkb" "--with-xkb"
"--with-default-authproto-module=/run/setuid-programs/authproto_pam"))) "--with-default-authproto-module=/run/privileged/bin/authproto_pam")))
(native-inputs (native-inputs
(list pandoc pkg-config)) (list pandoc pkg-config))
(inputs (inputs

2
gnu/services/dbus.scm
View file

@ -115,7 +115,7 @@ (define (services->sxml services)
;; failures such as <https://issues.guix.gnu.org/52051> on slow ;; failures such as <https://issues.guix.gnu.org/52051> on slow
;; computers with slow I/O. ;; computers with slow I/O.
(limit (@ (name "auth_timeout")) "300000") (limit (@ (name "auth_timeout")) "300000")
(servicehelper "/run/setuid-programs/dbus-daemon-launch-helper") (servicehelper "/run/privileged/bin/dbus-daemon-launch-helper")
;; First, the '.service' files of services subject to activation. ;; First, the '.service' files of services subject to activation.
;; We use a fixed location under /etc because the setuid helper ;; We use a fixed location under /etc because the setuid helper

2
gnu/services/ganeti.scm
View file

@ -182,7 +182,7 @@ (define-module (gnu services ganeti)
;; Ceph, Gluster, etc, without having to add absolute references to everything. ;; Ceph, Gluster, etc, without having to add absolute references to everything.
(define %default-ganeti-environment-variables (define %default-ganeti-environment-variables
(list (string-append "PATH=" (list (string-append "PATH="
(string-join '("/run/setuid-programs" (string-join '("/run/privileged/bin"
"/run/current-system/profile/sbin" "/run/current-system/profile/sbin"
"/run/current-system/profile/bin") "/run/current-system/profile/bin")
":")))) ":"))))

2
gnu/services/monitoring.scm
View file

@ -1016,7 +1016,7 @@ (define (zabbix-agent-shepherd-service config)
/etc/ssl/certs" /etc/ssl/certs"
"SSL_CERT_FILE=/run/current-system/profile\ "SSL_CERT_FILE=/run/current-system/profile\
/etc/ssl/certs/ca-certificates.crt" /etc/ssl/certs/ca-certificates.crt"
"PATH=/run/setuid-programs:\ "PATH=/run/privileged/bin:\
/run/current-system/profile/bin:/run/current-system/profile/sbin"))) /run/current-system/profile/bin:/run/current-system/profile/sbin")))
(stop #~(make-kill-destructor))))) (stop #~(make-kill-destructor)))))

2
gnu/tests/ldap.scm
View file

@ -144,7 +144,7 @@ (define marionette
(test-assert "Can become LDAP user" (test-assert "Can become LDAP user"
(marionette-eval (marionette-eval
'(zero? (system* "/run/setuid-programs/su" "eva" "-c" '(zero? (system* "/run/privileged/bin/su" "eva" "-c"
#$(file-append coreutils "/bin/true"))) #$(file-append coreutils "/bin/true")))
marionette)) marionette))

4
gnu/tests/monitoring.scm
View file

@ -189,11 +189,11 @@ (define marionette
(start-service 'postgres)) (start-service 'postgres))
marionette)) marionette))
;; Add /run/setuid-programs to $PATH so that the scripts passed to ;; Add privileged programs to $PATH so that the scripts passed to
;; 'system' can find 'sudo'. ;; 'system' can find 'sudo'.
(marionette-eval (marionette-eval
'(setenv "PATH" '(setenv "PATH"
"/run/setuid-programs:/run/current-system/profile/bin") "/run/privileged/bin:/run/current-system/profile/bin")
marionette) marionette)
(test-eq "postgres create zabbix user" (test-eq "postgres create zabbix user"