[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#61462] [PATCH 01/10] system: Disallow file-like setuid-programs.
From: |
Tobias Geerinckx-Rice |
Subject: |
[bug#61462] [PATCH 01/10] system: Disallow file-like setuid-programs. |
Date: |
Sun, 5 Feb 2023 01:00:10 +0100 |
It has been a warning for well over a year now. Now, with
privileged-programs coming, don't let's support nested deprecation
hacks.
* gnu/system.scm (<operating-system>):
Don't ‘sanitize’ the setuid-programs field.
(ensure-setuid-program-list): Delete syntax.
(%ensure-setuid-program-list): Delete variable.
---
gnu/system.scm | 28 +---------------------------
1 file changed, 1 insertion(+), 27 deletions(-)
diff --git a/gnu/system.scm b/gnu/system.scm
index df60fda53b..85380136e2 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -297,8 +297,7 @@ (define-record-type* <operating-system> operating-system
(pam-services operating-system-pam-services ; list of PAM services
(default (base-pam-services)))
(setuid-programs operating-system-setuid-programs
- (default %setuid-programs) ; list of <setuid-program>
- (sanitize ensure-setuid-program-list))
+ (default %setuid-programs)) ; list of <setuid-program>
(sudoers-file operating-system-sudoers-file ; file-like
(default %sudoers-specification))
@@ -1214,31 +1213,6 @@ (define (operating-system-environment-variables os)
;; TODO: Remove when glibc@2.23 is long gone.
("GUIX_LOCPATH" . "/run/current-system/locale")))
-;; Ensure LST is a list of <setuid-program> records and warn otherwise.
-(define-with-syntax-properties (ensure-setuid-program-list (lst properties))
- (%ensure-setuid-program-list lst properties))
-
-;; We want to be able to use defines, so define a procedure.
-(define (%ensure-setuid-program-list lst properties)
- (define warned? #f)
-
- (define (warn-once)
- (unless warned?
- (warning (source-properties->location properties)
- (G_ "representing setuid programs with file-like objects is \
-deprecated; use 'setuid-program' instead~%"))
- (set! warned? #t)))
-
- (map (match-lambda
- ((? setuid-program? program)
- program)
- (program
- ;; PROGRAM is a file-like or a gexp like #~(string-append #$foo
- ;; "/bin/bar").
- (warn-once)
- (setuid-program (program program))))
- lst))
-
(define %setuid-programs
;; Default set of setuid-root programs.
(let ((shadow (@ (gnu packages admin) shadow)))
base-commit: 2b1383c0a2f79117103b142440c64f6a751d545d
prerequisite-patch-id: 886fb4af654b597857d992a7c1e9c4bcc8bf5ab6
prerequisite-patch-id: 159d9e2558e5fb2dfc1d7442440e154dba14e500
prerequisite-patch-id: 2a1dffe5206b8a67cc544267d4ce4ddd23f3f290
prerequisite-patch-id: 992a4004d5fc0c427696da0b142942008c987083
prerequisite-patch-id: ee47c54ab1f9c72ee6974eca16aa311c80601048
prerequisite-patch-id: b50c71d9cc8fb39d18f448d9db6d61eca9f0f25b
prerequisite-patch-id: 15aab9bfe126cf392055f82d0831ad2bd8622ad4
prerequisite-patch-id: 83928f7dc391bf556c5d4405ca966c60bfdfff4b
prerequisite-patch-id: 4370270b5f1db400fe91d922da17390ef76d7962
prerequisite-patch-id: 1bf3ab2da9cb51156f6b28aac26b1c9e46f58f3c
prerequisite-patch-id: e082433b46efa579b4026c24466af3bb375c66a9
prerequisite-patch-id: 37587dd99ea94d6fd06e5a85600364a9b9e30257
prerequisite-patch-id: 48b2c23df7636eb66789649d5465c5aba5551c6d
prerequisite-patch-id: ee83168a69856ce6aacac6399af1e0f6b6126001
prerequisite-patch-id: 313f790e410773ccec61a27665d372b1f45b7236
prerequisite-patch-id: e82c8b9f3dd1b945f7cb937cf34f308b74759ca8
prerequisite-patch-id: ebd98ed22463fdb02fcfc5108a39bda89020cddd
prerequisite-patch-id: aa023f744b32055ca87a6131b0791d7524f03749
prerequisite-patch-id: 780a9840ba83b219743a5d4847dcec3e6bd4eb4c
prerequisite-patch-id: d337437b304428933fd187c3d38669f1ab6810f5
prerequisite-patch-id: 088d2163c05a955c2dc69c32cfd07a2c9bbb38fe
prerequisite-patch-id: f49f51dfc2e47144c8c9b27534f4d041d4c0abce
--
2.39.1
- [bug#61462] Add support for file capabilities(7), Tobias Geerinckx-Rice, 2023/02/12
- [bug#61462] [PATCH 01/10] system: Disallow file-like setuid-programs.,
Tobias Geerinckx-Rice <=
- [bug#61462] [PATCH 02/10] services: setuid-program: Populate /run/privileged/bin., Tobias Geerinckx-Rice, 2023/02/12
- [bug#61462] [PATCH 04/10] gnu: Replace (almost) all uses of /run/setuid-programs., Tobias Geerinckx-Rice, 2023/02/12
- [bug#61462] [PATCH 06/10] system: (gnu system setuid) wraps (gnu system privilege)., Tobias Geerinckx-Rice, 2023/02/12
- [bug#61462] [PATCH 03/10] system: Use /run/privileged/bin in search paths., Tobias Geerinckx-Rice, 2023/02/12
- [bug#61462] [PATCH 09/10] system: Use privileged-program-service-type by default., Tobias Geerinckx-Rice, 2023/02/12
- [bug#61462] [PATCH 08/10] services: Rename setuid-program-service-type., Tobias Geerinckx-Rice, 2023/02/12
- [bug#61462] [PATCH 07/10] build: Rename activate-setuid-programs., Tobias Geerinckx-Rice, 2023/02/12
- [bug#61462] [PATCH 05/10] system: Add (gnu system privilege)., Tobias Geerinckx-Rice, 2023/02/12
- [bug#61462] [PATCH 10/10] system: Add privileged-programs to <operating-system>., Tobias Geerinckx-Rice, 2023/02/12
- [bug#61462] Add support for file capabilities(7), Tobias Geerinckx-Rice, 2023/02/12