--- Begin Message ---
|
Subject: |
GuixSD setuid-programs handling creates setuid binaries in the store |
|
Date: |
Sun, 08 Oct 2017 21:25:15 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) |
On GuixSD, ‘activate-setuid-programs’ in (gnu build activation) would
create setuid-root binaries under /gnu/store for all the programs listed
under ‘setuid-programs’ in the ‘operating-system’ declaration.
‘activate-setuid-programs’ in (gnu build activation) does this:
(define (make-setuid-program prog)
(let ((target (string-append %setuid-directory
"/" (basename prog))))
(link-or-copy prog target)
(chown target 0 0)
(chmod target #o6555)))
which amounts to:
1. ln /gnu/store/…/bin/su /run/setuid-programs/su
2. chmod +s /run/setuid-programs/su
meaning that *both* ‘su’ files become setuid root.
This leads to setuid-root files in the store, which is a violation of a
fundamental assumption that setuid files cannot exist in the store.
Detailed announcement and fix coming.
Ludo’.
--- End Message ---
--- Begin Message ---
|
Subject: |
Re: bug#28751: GuixSD setuid-programs handling creates setuid binaries in the store |
|
Date: |
Sun, 08 Oct 2017 21:54:22 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) |
address@hidden (Ludovic Courtès) skribis:
> address@hidden (Ludovic Courtès) skribis:
>
>> On GuixSD, ‘activate-setuid-programs’ in (gnu build activation) would
>> create setuid-root binaries under /gnu/store for all the programs listed
>> under ‘setuid-programs’ in the ‘operating-system’ declaration.
>
> Fixed by
> <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=5e66574a128937e7f2fcf146d146225703ccfd5d>.
Detailed announcement at:
https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html
Ludo’.
--- End Message ---