From 4e58dfee6c7456d1e662f66041b8a157efe8710a Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Sun, 23 Oct 2022 02:00:01 +0200 Subject: system: Add privileged-programs to . MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * gnu/system.scm (): Add new privileged-programs field, that defaults to… (%default-privileged-programs): …this new variable, renamed from… (%setuid-programs): …this, which is now defined as the empty list. * doc/guix.texi (Setuid Programs): Rename this… (Privileged Programs): …to this. Adjust all refs. Update all mentions of ‘setuid’ (whether in prose, variable names, or code samples) to use the new ‘privilege[d]’ terminology instead. (operating-system Reference, X Window, Invoking guix system) (Service Reference): Adjust likewise. --- gnu/system.scm | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) (limited to 'gnu/system.scm') diff --git a/gnu/system.scm b/gnu/system.scm index 4ac619d4eca..44f93f91d17 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -77,6 +77,7 @@ #:use-module (gnu system locale) #:use-module (gnu system pam) #:use-module (gnu system linux-initrd) + #:use-module (gnu system privilege) #:use-module (gnu system setuid) #:use-module (gnu system uuid) #:use-module (gnu system file-systems) @@ -130,6 +131,7 @@ operating-system-keyboard-layout operating-system-name-service-switch operating-system-pam-services + operating-system-privileged-programs operating-system-setuid-programs operating-system-skeletons operating-system-sudoers-file @@ -174,6 +176,7 @@ local-host-aliases ;deprecated %root-account + %default-privileged-programs %setuid-programs %sudoers-specification %base-packages @@ -301,7 +304,10 @@ VERSION is the target version of the boot-parameters record." (pam-services operating-system-pam-services ; list of PAM services (default (base-pam-services))) + (privileged-programs operating-system-privileged-programs ; list of + (default %default-privileged-programs)) (setuid-programs operating-system-setuid-programs + ;; For backwards compatibility; will be removed. (default %setuid-programs)) ; list of (sudoers-file operating-system-sudoers-file ; file-like @@ -821,7 +827,8 @@ bookkeeping." (service host-name-service-type host-name) procs root-fs (service privileged-program-service-type - (operating-system-setuid-programs os)) + (append (operating-system-privileged-programs os) + (operating-system-setuid-programs os))) (service profile-service-type (operating-system-packages os)) boot-fs non-boot-fs @@ -860,7 +867,8 @@ bookkeeping." (service hosts-service-type (local-host-entries host-name))) (service privileged-program-service-type - (operating-system-setuid-programs os)) + (append (operating-system-privileged-programs os) + (operating-system-setuid-programs os))) (service profile-service-type (operating-system-packages os))))) (define* (operating-system-services os) @@ -1239,8 +1247,7 @@ use 'plain-file' instead~%") ;; when /etc/machine-id is missing. Make sure these warnings are non-fatal. ("DBUS_FATAL_WARNINGS" . "0"))) -(define %setuid-programs - ;; Default set of setuid-root programs. +(define %default-privileged-programs (let ((shadow (@ (gnu packages admin) shadow))) (map file-like->setuid-program (list (file-append shadow "/bin/passwd") @@ -1262,6 +1269,12 @@ use 'plain-file' instead~%") (file-append util-linux "/bin/mount") (file-append util-linux "/bin/umount"))))) +(define %setuid-programs + ;; Do not add to this list or use it in new code! It's defined only to ease + ;; transition to %default-privileged-programs and will be removed. Some rare + ;; use cases already break, such as the obvious (remove … %setuid-programs). + '()) + (define %sudoers-specification ;; Default /etc/sudoers contents: 'root' and all members of the 'wheel' ;; group can do anything. See -- cgit v1.3