[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#62725: Undefined activation ordering between ‘setuid-program-service
|
From: |
Brian Cully |
|
Subject: |
bug#62725: Undefined activation ordering between ‘setuid-program-service-type’ and ‘account-service-type’ |
|
Date: |
Sat, 08 Apr 2023 10:53:07 -0400 |
|
User-agent: |
mu4e 1.10.0; emacs 28.2 |
There is currently no way to ensure that an account exists before
creating /run/setuid-programs, which means a setuid-program which
uses a custom user or group will fail to be created if setuid
activation happens before account activation.
As an example, here's a system config where I'm trying to install
‘/run/setuid-programs/dumpcap’ as setuid root with a primary group
of ‘wireshark’, also created by this config:
--8<---------------cut here---------------start------------->8---
(use-modules (gnu)
(gnu system setuid))
(use-package-modules networking)
(use-service-modules setuid)
;; TODO: make name configurable
(define %wireshark-groups
(list (user-group
(name "wireshark")
(system? #t))))
(define %wireshark-setuid-programs
(list (setuid-program
(program (file-append wireshark "/bin/dumpcap"))
(group "wireshark")
#;(mask #o550))))
(define wireshark-service-type
(service-type
(name 'wireshark)
(description "Allow use of wireshark by regular users in the
@code{wireshark} group.")
(extensions
(list (service-extension account-service-type
(const %wireshark-groups))
(service-extension setuid-program-service-type
(const %wireshark-setuid-programs))))
(default-value #f)))
(operating-system
(locale "en_US.utf8")
(timezone "America/New_York")
(keyboard-layout (keyboard-layout "us"))
(host-name "wireshark-test")
(users (cons* (user-account
(name "test")
(group "users")
(password (crypt "test" "$6$test"))
(supplementary-groups
'("wireshark")))
%base-user-accounts))
(packages
(cons*
(specification->package "wireshark")
%base-packages))
(services
(cons*
(service wireshark-service-type)
%base-services))
(bootloader
(bootloader-configuration
(bootloader grub-efi-bootloader)
(targets '("/boot/efi"))
(keyboard-layout keyboard-layout)))
(file-systems
(cons* (file-system
(mount-point "/")
(device
(uuid "14f4e958-be9e-41bb-bd25-e90a7330093c"
'btrfs))
(type "btrfs"))
(file-system
(mount-point "/boot/efi")
(device (uuid "6866-56B1" 'fat32))
(type "vfat"))
%base-file-systems)))
--8<---------------cut here---------------end--------------->8---
When trying to boot this system in a VM, I'm told that the dumpcap
binary couldn't be created because the file wasn't found. The
returned error is improperly attributed: the source file does
exist, and the error code is actually coming from getgrent(3)
which cannot find the ‘wireshark’ group.
Tracing through the activation scripts shows this to be because,
in this case, setuid-program activation happens before
account-activation.
Thanks to jpoiret for doing a lot of the investigative work here,
which I'm merely verifying through testing.
I believe the correct solution here is to move ‘setuid-program’
activation to a one-shot Shepherd service, because Shepherd allows
explicit ordering, as well as other advantages. To that end, I
have a patch which does precisely that, which I will send to the
patches list shorty.
-bjc
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- bug#62725: Undefined activation ordering between ‘setuid-program-service-type’ and ‘account-service-type’,
Brian Cully <=