From fc350ac31326b03272678014d070c047a383ba0f Mon Sep 17 00:00:00 2001 From: Luis Guilherme Coelho Date: Thu, 22 Aug 2024 00:03:41 -0300 Subject: [PATCH] operating-systems: buer: Use privileged-programs instead of setuid-programs --- operating-systems/buer.scm | 16 ++++---- operating-systems/buer/privilege.scm | 57 ++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+), 9 deletions(-) create mode 100644 operating-systems/buer/privilege.scm diff --git a/operating-systems/buer.scm b/operating-systems/buer.scm index ce1af14..ab08b29 100644 --- a/operating-systems/buer.scm +++ b/operating-systems/buer.scm @@ -77,6 +77,8 @@ #:prefix build-machine:) #|C|# #:use-module ((buer channels) #:prefix channel:) + #|P|# #:use-module ((buer privilege) + #:prefix privileged-programs:) #|U|# #:use-module ((buer users) #:prefix user:) @@ -166,15 +168,11 @@ #|Do not generate a sudoers file|# (sudoers-file #f) - #|Run some programs from each package with file owner privileges|# - (setuid-programs - (map-setuid-programs - (shadow `("passwd" "chfn" "sg" "su" "newgrp" "newuidmap" "newgidmap")) - (inetutils `("ping" "ping6")) - (opendoas `("doas")) - (fuse-2 `("fusermount")) - (fuse `("fusermount3")) - (util-linux `("mount" "umount")))) + #|Run some programs from with file privileges|# + (privileged-programs + (append privileged-programs:authentication + privileged-programs:file-systems + privileged-programs:network)) #|Allow resolution of '.local' host names with mDNS|# (name-service-switch %mdns-host-lookup-nss) diff --git a/operating-systems/buer/privilege.scm b/operating-systems/buer/privilege.scm new file mode 100644 index 0000000..98b69b9 --- /dev/null +++ b/operating-systems/buer/privilege.scm @@ -0,0 +1,57 @@ +(define-module (buer privilege) + #:use-module (gnu packages admin) + #:use-module (gnu packages linux) + #:use-module (gnu system privilege) + #:use-module (guix gexp) + + #:export (authentication + file-systems + network)) + +(define authentication + (list (privileged-program + (program (file-append opendoas "/bin/doas")) + (setuid? #t)) + (privileged-program + (program (file-append shadow "/bin/passwd")) + (setuid? #t)) + (privileged-program + (program (file-append shadow "/bin/chfn")) + (setuid? #t)) + (privileged-program + (program (file-append shadow "/bin/sg")) + (setuid? #t)) + (privileged-program + (program (file-append shadow "/bin/su")) + (setuid? #t)) + (privileged-program + (program (file-append shadow "/bin/newgrp")) + (setuid? #t)) + (privileged-program + (program (file-append shadow "/bin/newuidmap")) + (setuid? #t)) + (privileged-program + (program (file-append shadow "/bin/newgidmap")) + (setuid? #t)))) + +(define file-systems + (list (privileged-program + (program (file-append fuse "/bin/fusermount3")) + (setuid? #t)) + (privileged-program + (program (file-append fuse-2 "/bin/fusermount")) + (setuid? #t)) + (privileged-program + (program (file-append util-linux "/bin/mount")) + (setuid? #t)) + (privileged-program + (program (file-append util-linux "/bin/umount")) + (setuid? #t)))) + +(define network + (list (privileged-program + (program (file-append inetutils "/bin/ping")) + (setuid? #t)) + (privileged-program + (program (file-append inetutils "/bin/ping6")) + (setuid? #t))))