[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#41763] services: opensmtpd: Fix the setgid problem for the smtpctl
|
From: |
Brice Waegeneire |
|
Subject: |
[bug#41763] services: opensmtpd: Fix the setgid problem for the smtpctl utility. |
|
Date: |
Mon, 15 Jun 2020 17:12:40 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.0.91 (gnu/linux) |
Hello Maxim,
Thank you for the patchset!
maxim.cournoyer@gmail.com writes:
> The following patches provide a mean to specify a user and group for a
> setuid program, and uses that to fix a setgid permission issue in the
> context of the opensmtpd service.
I applied it to try to use wireshark as non-root[0]:
--8<---------------cut here---------------start------------->8---
(simple-service 'wireshark-group account-service-type
(list (user-group (name "wireshark") (system? #t))))
(simple-service 'wireshark-dumpcap setuid-program-service-type
(list (list (file-append wireshark "/bin/dumpcap")
"root" "wireshark")))
--8<---------------cut here---------------end--------------->8---
And unfortunately the first run of “guix reconfigure“ failed to make
“dumpcap“ as a setuid, but subsequent run succeeded:
--8<---------------cut here---------------start------------->8---
[…]
setting up setuid programs in '/run/setuid-programs'...
warning: failed to make
'/gnu/store/vdlk9rli5k5svy8p7bhf90ln03ybnxgj-wireshark-3.2.4/bin/dumpcap'
setuid (root:wireshark): Success
populating /etc from /gnu/store/hxjyvg80zjaxfynjyk3jgqsn9249azmx-etc...
[…]
--8<---------------cut here---------------end--------------->8---
I guess it's because at first there wasn't a wireshark group on my
system, adding the group and the setuid program was done in the same
run, but “setting up setuid programs” is done before “populating /etc”
(comprising /etc/passwd) which in effect ended up trying to setuid
“dumpcap“ before the “wireshark“ group exists. And subsequent runs
succeeded creating a setuid “dumpcap” because the new group was already
on the system, it was created during the first run.
Populating /etc before setting up /run/setuid-programs should fix that
issue but maybe there is reason behind the current order of execution.
> Christopher, you should be able to leverage this new facility to
> configure the uid/gid of the sendmail program to that of the smtpq user,
> like this:
>
> (operating-system)
> [...]
> (setuid-programs (cons (list (file-append sendmail "/usr/sbin/sendmail")
> "smtpq")
> %setuid-programs))
>
Aside from that I wonder if specifying user and group in a list is
future proof, maybe using a record would be more Guixy. In particular I
would like to be able to set capabilities (as with “setcap“) on binaries
since the store don't support it[1]; if that's even possible but it's an
other issue.
[0]: https://wiki.wireshark.org/CaptureSetup/CapturePrivileges#Most_UNIXes
[1]: https://lists.gnu.org/archive/html/help-guix/2016-11/msg00046.html
- Brice