~ruther/guix-local

902b15b24d6ea2a1e255b88dff7670e8a95cb9a9 — Tobias Geerinckx-Rice 3 years ago e364d1a 
gnu: Replace (almost) all uses of /run/setuid-programs.

…those good for master, anyway.

* gnu/packages/admin.scm (ktsuss, opendoas, hosts)
[arguments]: Replace /run/setuid-programs with /run/privileged/bin.
* gnu/packages/containers.scm (slirp4netns)[arguments]: Likewise.
* gnu/packages/debian.scm (pbuilder)[arguments]: Likewise.
* gnu/packages/disk.scm (udevil)[arguments]: Likewise.
* gnu/packages/enlightenment.scm (efl, enlightenment)
[arguments]: Likewise.
* gnu/packages/gnome.scm (gdm, gnome-control-center)
[arguments]: Likewise.
* gnu/packages/linux.scm (singularity)[arguments]: Likewise.
* gnu/packages/lxde.scm (spacefm)[arguments]: Likewise.
* gnu/packages/monitoring.scm (zabbix-agentd)[arguments]: Likewise.
* gnu/packages/virtualization.scm (ganeti)[arguments]: Likewise.
* gnu/packages/xdisorg.scm (xsecurelock)[arguments]: Likewise.
* gnu/services/dbus.scm (dbus-configuration-directory): Likewise.
* gnu/services/ganeti.scm (%default-ganeti-environment-variables):
Likewise.
* gnu/services/monitoring.scm (zabbix-agent-shepherd-service): Likewise.
* gnu/tests/ldap.scm (marionette): Likewise.
* gnu/tests/monitoring.scm (os): Likewise.
patch browse .tar.gz 
17 files changed, 39 insertions(+), 40 deletions(-)

M gnu/machine/ssh.scm
M gnu/packages/admin.scm
M gnu/packages/containers.scm
M gnu/packages/debian.scm
M gnu/packages/disk.scm
M gnu/packages/enlightenment.scm
M gnu/packages/gnome.scm
M gnu/packages/linux.scm
M gnu/packages/lxde.scm
M gnu/packages/monitoring.scm
M gnu/packages/virtualization.scm
M gnu/packages/xdisorg.scm
M gnu/services/dbus.scm
M gnu/services/ganeti.scm
M gnu/services/monitoring.scm
M gnu/tests/ldap.scm
M gnu/tests/monitoring.scm

M gnu/machine/ssh.scm => gnu/machine/ssh.scm +2 -0
@@ 178,6 178,8 @@ shell command with escalated privileges for MACHINE's configuration."
  (if (string= "root" (machine-ssh-configuration-user
                       (machine-configuration machine)))
      '()
      ;; Use the old setuid-programs location until the remote is likely to
      ;; have the new /run/privileged one in place.
      '("/run/setuid-programs/sudo" "-n" "--")))

(define (managed-host-remote-eval machine exp)


M gnu/packages/admin.scm => gnu/packages/admin.scm +3 -3
@@ 220,7 220,7 @@
           (lambda _
             (substitute* "configure.ac"
               (("supath=`which su 2>/dev/null`")
                "supath=/run/setuid-programs/su"))
                "supath=/run/privileged/bin/su"))
             #t)))))
    (native-inputs
     (list autoconf automake libtool pkg-config))


@@ 2156,7 2156,7 @@ commands and their arguments.")
             (substitute* "doas.c"
               (("safepath =" match)
                (string-append match " \""
                               "/run/setuid-programs:"
                               "/run/privileged/bin:"
                               "/run/current-system/profile/bin:"
                               "/run/current-system/profile/sbin:"
                               "\" ")))))


@@ 5090,7 5090,7 @@ text table representation to stdout.")
                                ":" (assoc-ref %build-inputs "grep") "/bin"
                                ":" (assoc-ref %build-inputs "ncurses") "/bin"
                                ":" (assoc-ref %build-inputs "sed") "/bin"
                                ":" "/run/setuid-programs"
                                ":" "/run/privileged/bin"
                                ":" (getenv "PATH")))
         (substitute* "hosts"
           (("#!/usr/bin/env bash")


M gnu/packages/containers.scm => gnu/packages/containers.scm +1 -1
@@ 274,7 274,7 @@ containers or various tools.")
                  (add-after 'unpack 'fix-hardcoded-paths
                    (lambda _
                      (substitute* (find-files "tests" "\\.sh")
                        (("ping") "/run/setuid-programs/ping")))))))
                        (("ping") "/run/privileged/bin/ping")))))))
    (inputs
     (list glib
           libcap


M gnu/packages/debian.scm => gnu/packages/debian.scm +2 -2
@@ 725,8 725,8 @@ handling the installation and removal of Debian software packages.")
                 (lambda ()
                   (format #t "# A couple of presets to make this work more smoothly.~@
                           MIRRORSITE=\"http://deb.debian.org/debian\"~@
                           if [ -r /run/setuid-programs/sudo ]; then~@
                               PBUILDERROOTCMD=\"/run/setuid-programs/sudo -E\"~@
                           if [ -r /run/privileged/bin/sudo ]; then~@
                               PBUILDERROOTCMD=\"/run/privileged/bin/sudo -E\"~@
                           fi~@
                           PBUILDERSATISFYDEPENDSCMD=\"~a/lib/pbuilder/pbuilder-satisfydepends-apt\"~%"
                           #$output)))))


M gnu/packages/disk.scm => gnu/packages/disk.scm +7 -7
@@ 212,10 212,10 @@ and write-back caching.")
        ;; udevil expects these programs to be run with uid set as root.
        ;; user has to manually add these programs to setuid-programs.
        ;; mount and umount are default setuid-programs in guix system.
        "--with-mount-prog=/run/setuid-programs/mount"
        "--with-umount-prog=/run/setuid-programs/umount"
        "--with-losetup-prog=/run/setuid-programs/losetup"
        "--with-setfacl-prog=/run/setuid-programs/setfacl")
        "--with-mount-prog=/run/privileged/bin/mount"
        "--with-umount-prog=/run/privileged/bin/umount"
        "--with-losetup-prog=/run/privileged/bin/losetup"
        "--with-setfacl-prog=/run/privileged/bin/setfacl")
       #:phases
       (modify-phases %standard-phases
         (add-after 'unpack 'remove-root-reference


@@ 226,12 226,12 @@ and write-back caching.")
         (add-after 'unpack 'patch-udevil-reference
           ;; udevil expects itself to be run with uid set as root.
           ;; devmon also expects udevil to be run with uid set as root.
           ;; user has to manually add udevil to setuid-programs.
           ;; user has to manually add udevil to privileged-programs.
           (lambda _
             (substitute* "src/udevil.c"
               (("/usr/bin/udevil") "/run/setuid-programs/udevil"))
               (("/usr/bin/udevil") "/run/privileged/bin/udevil"))
             (substitute* "src/devmon"
               (("`which udevil 2>/dev/null`") "/run/setuid-programs/udevil"))
               (("`which udevil 2>/dev/null`") "/run/privileged/bin/udevil"))
             #t)))))
    (native-inputs
     (list intltool pkg-config))


M gnu/packages/enlightenment.scm => gnu/packages/enlightenment.scm +5 -5
@@ 149,8 149,8 @@
         "-Dbuild-examples=false"
         "-Decore-imf-loaders-disabler=scim"
         "-Dglib=true"
         "-Dmount-path=/run/setuid-programs/mount"
         "-Dunmount-path=/run/setuid-programs/umount"
         "-Dmount-path=/run/privileged/bin/mount"
         "-Dunmount-path=/run/privileged/bin/umount"
         "-Dnetwork-backend=connman"
         ,,@(if (member (%current-system)
                        (package-transitive-supported-systems luajit))


@@ 338,7 338,7 @@ Libraries with some extra bells and whistles.")
               (substitute* '("src/bin/e_sys_main.c"
                              "src/bin/e_util_suid.h")
                 (("PATH=/bin:/usr/bin:/sbin:/usr/sbin")
                  (string-append "PATH=/run/setuid-programs:"
                  (string-append "PATH=/run/privileged/bin:"
                                 "/run/current-system/profile/bin:"
                                 "/run/current-system/profile/sbin")))
               (substitute* "src/modules/everything/evry_plug_calc.c"


@@ 347,8 347,8 @@ Libraries with some extra bells and whistles.")
                 (("libddcutil\\.so\\.?" libddcutil)
                  (string-append ddcutil "/lib/" libddcutil)))
               (substitute* "data/etc/meson.build"
                 (("/bin/mount") "/run/setuid-programs/mount")
                 (("/bin/umount") "/run/setuid-programs/umount")
                 (("/bin/mount") "/run/privileged/bin/mount")
                 (("/bin/umount") "/run/privileged/bin/umount")
                 (("/usr/bin/eject") "/run/current-system/profile/bin/eject"))
               (substitute* "src/bin/system/e_system_power.c"
                 (("systemctl") "loginctl"))))))))


M gnu/packages/gnome.scm => gnu/packages/gnome.scm +1 -1
@@ 8984,7 8984,7 @@ library.")

         "--localstatedir=/var"
         (string-append "-Ddefault-path="
                        (string-join '("/run/setuid-programs"
                        (string-join '("/run/privileged/bin"
                                       "/run/current-system/profile/bin"
                                       "/run/current-system/profile/sbin")
                                     ":"))


M gnu/packages/linux.scm => gnu/packages/linux.scm +1 -1
@@ 5386,7 5386,7 @@ thanks to the use of namespaces.")
                  (substitute* (find-files "libexec/cli" "\\.exec$")
                    (("\\$SINGULARITY_libexecdir/singularity/bin/([a-z]+)-suid"
                      _ program)
                     (string-append "/run/setuid-programs/singularity-"
                     (string-append "/run/privileged/bin/singularity-"
                                    program "-helper")))

                  ;; These squashfs mount options are apparently no longer


M gnu/packages/lxde.scm => gnu/packages/lxde.scm +8 -11
@@ 372,26 372,23 @@ with freedesktop.org standard.")
                 (substitute* '("mime-type/mime-type.c" "ptk/ptk-file-menu.c")
                   (("/usr(/local)?/share/mime") mime)))
               #t)))
         (add-after 'patch-mime-dirs 'patch-setuid-progs
         (add-after 'patch-mime-dirs 'patch-privileged-programs
           (lambda _
             (let* ((su "/run/setuid-programs/su")
                    (mount "/run/setuid-programs/mount")
                    (umount "/run/setuid-programs/umount")
                    (udevil "/run/setuid-programs/udevil"))
             (let ((privileged (lambda (command)
                                 (string-append "/run/privileged/bin/"
                                                command))))
               (with-directory-excursion "src"
                 (substitute* '("settings.c" "settings.h" "vfs/vfs-file-task.c"
                                "vfs/vfs-volume-hal.c" "../data/ui/prefdlg.ui"
                                "../data/ui/prefdlg2.ui")
                   (("(/usr)?/bin/su") su)
                   (("/(bin|sbin)/mount") mount)
                   (("/(bin|sbin)/umount") umount)
                   (("/usr/bin/udevil") udevil)))
                   (("(/usr)?/s?bin/(mount|umount|su|udevil)" _ _ command)
                    (privileged command))))
               #t)))
         (add-after 'patch-setuid-progs 'patch-spacefm-conf
         (add-after 'patch-privileged-programs 'patch-spacefm.conf
           (lambda* (#:key inputs #:allow-other-keys)
             (substitute* "etc/spacefm.conf"
               (("#terminal_su=/bin/su")
                "terminal_su=/run/setuid-programs/su")
                "terminal_su=/run/privileged/bin/su")
               (("#graphical_su=/usr/bin/gksu")
                (string-append "graphical_su="
                               (search-input-file inputs "/bin/ktsuss")))))))


M gnu/packages/monitoring.scm => gnu/packages/monitoring.scm +1 -1
@@ 186,7 186,7 @@ etc. via a Web interface.  Features include:
                        "src/zabbix_server/server.c")
           ;; 'fping' must be setuid, so look for it in the usual location.
           (("/usr/sbin/fping6?")
            "/run/setuid-programs/fping")))))
            "/run/privileged/bin/fping")))))
    (build-system gnu-build-system)
    (arguments
     (list #:configure-flags


M gnu/packages/virtualization.scm => gnu/packages/virtualization.scm +1 -1
@@ 846,7 846,7 @@ firmware blobs.  You can
             ;; hard coded PATH.  Patch so it works on Guix System.
             (substitute* "src/Ganeti/Constants.hs"
               (("/sbin:/bin:/usr/sbin:/usr/bin")
                "/run/setuid-programs:/run/current-system/profile/sbin:\
                "/run/privileged/bin:/run/current-system/profile/sbin:\
/run/current-system/profile/bin"))))
         (add-after 'bootstrap 'patch-sphinx-version-detection
           (lambda _


M gnu/packages/xdisorg.scm => gnu/packages/xdisorg.scm +1 -1
@@ 2710,7 2710,7 @@ temperature of the screen.")
     '(#:configure-flags
       '("--with-pam-service-name=login"
         "--with-xkb"
         "--with-default-authproto-module=/run/setuid-programs/authproto_pam")))
         "--with-default-authproto-module=/run/privileged/bin/authproto_pam")))
    (native-inputs
     (list pandoc pkg-config))
    (inputs


M gnu/services/dbus.scm => gnu/services/dbus.scm +1 -1
@@ 115,7 115,7 @@ includes the @code{etc/dbus-1/system.d} directories of each package listed in
             ;; failures such as <https://issues.guix.gnu.org/52051> on slow
             ;; computers with slow I/O.
            (limit (@ (name "auth_timeout")) "300000")
            (servicehelper "/run/setuid-programs/dbus-daemon-launch-helper")
            (servicehelper "/run/privileged/bin/dbus-daemon-launch-helper")

            ;; First, the '.service' files of services subject to activation.
            ;; We use a fixed location under /etc because the setuid helper


M gnu/services/ganeti.scm => gnu/services/ganeti.scm +1 -1
@@ 182,7 182,7 @@
;; Ceph, Gluster, etc, without having to add absolute references to everything.
(define %default-ganeti-environment-variables
  (list (string-append "PATH="
                       (string-join '("/run/setuid-programs"
                       (string-join '("/run/privileged/bin"
                                      "/run/current-system/profile/sbin"
                                      "/run/current-system/profile/bin")
                                    ":"))))


M gnu/services/monitoring.scm => gnu/services/monitoring.scm +1 -1
@@ 1016,7 1016,7 @@ configuration file."))
/etc/ssl/certs"
                         "SSL_CERT_FILE=/run/current-system/profile\
/etc/ssl/certs/ca-certificates.crt"
                         "PATH=/run/setuid-programs:\
                         "PATH=/run/privileged/bin:\
/run/current-system/profile/bin:/run/current-system/profile/sbin")))
         (stop #~(make-kill-destructor)))))



M gnu/tests/ldap.scm => gnu/tests/ldap.scm +1 -1
@@ 144,7 144,7 @@ suffix = dc=example,dc=com")))

          (test-assert "Can become LDAP user"
            (marionette-eval
             '(zero? (system* "/run/setuid-programs/su" "eva" "-c"
             '(zero? (system* "/run/privileged/bin/su" "eva" "-c"
                              #$(file-append coreutils "/bin/true")))
             marionette))



M gnu/tests/monitoring.scm => gnu/tests/monitoring.scm +2 -2
@@ 189,11 189,11 @@ cat ~a | sudo -u zabbix psql zabbix;
                (start-service 'postgres))
             marionette))

          ;; Add /run/setuid-programs to $PATH so that the scripts passed to
          ;; Add privileged programs to $PATH so that the scripts passed to
          ;; 'system' can find 'sudo'.
          (marionette-eval
           '(setenv "PATH"
                    "/run/setuid-programs:/run/current-system/profile/bin")
                    "/run/privileged/bin:/run/current-system/profile/bin")
           marionette)

          (test-eq "postgres create zabbix user"