operating-systems: buer: Use privileged-programs instead of setuid-programs

operating-systems/buer.scm

@@ -77,6 +77,8 @@
                       #:prefix build-machine:)
   #|C|# #:use-module ((buer channels)
                       #:prefix channel:)
+  #|P|# #:use-module ((buer privilege)
+                      #:prefix privileged-programs:)
   #|U|# #:use-module ((buer users)
                       #:prefix user:)
 
@@ -166,15 +168,11 @@
    #|Do not generate a sudoers file|#
    (sudoers-file #f)
 
-   #|Run some programs from each package with file owner privileges|#
+   #|Run some programs from with file privileges|#
-   (setuid-programs
+   (privileged-programs
-    (map-setuid-programs
+     (append privileged-programs:authentication
-      (shadow     `("passwd" "chfn" "sg" "su" "newgrp" "newuidmap" "newgidmap"))
+             privileged-programs:file-systems
-      (inetutils  `("ping" "ping6"))
+             privileged-programs:network))
-      (opendoas   `("doas"))
-      (fuse-2     `("fusermount"))
-      (fuse       `("fusermount3"))
-      (util-linux `("mount" "umount"))))
 
    #|Allow resolution of '.local' host names with mDNS|#
    (name-service-switch %mdns-host-lookup-nss)

operating-systems/buer/privilege.scm

@@ -0,0 +1,57 @@
+(define-module (buer privilege)
+  #:use-module (gnu packages admin)
+  #:use-module (gnu packages linux)
+  #:use-module (gnu system privilege)
+  #:use-module (guix gexp)
+
+  #:export (authentication
+            file-systems
+            network))
+
+(define authentication
+  (list (privileged-program
+          (program (file-append opendoas "/bin/doas"))
+          (setuid? #t))
+        (privileged-program
+          (program (file-append shadow "/bin/passwd"))
+          (setuid? #t))
+        (privileged-program
+          (program (file-append shadow "/bin/chfn"))
+          (setuid? #t))
+        (privileged-program
+          (program (file-append shadow "/bin/sg"))
+          (setuid? #t))
+        (privileged-program
+          (program (file-append shadow "/bin/su"))
+          (setuid? #t))
+        (privileged-program
+          (program (file-append shadow "/bin/newgrp"))
+          (setuid? #t))
+        (privileged-program
+          (program (file-append shadow "/bin/newuidmap"))
+          (setuid? #t))
+        (privileged-program
+          (program (file-append shadow "/bin/newgidmap"))
+          (setuid? #t))))
+
+(define file-systems
+  (list (privileged-program
+          (program (file-append fuse "/bin/fusermount3"))
+          (setuid? #t))
+        (privileged-program
+          (program (file-append fuse-2 "/bin/fusermount"))
+          (setuid? #t))
+        (privileged-program
+          (program (file-append util-linux "/bin/mount"))
+          (setuid? #t))
+        (privileged-program
+          (program (file-append util-linux "/bin/umount"))
+          (setuid? #t))))
+
+(define network
+  (list (privileged-program
+          (program (file-append inetutils "/bin/ping"))
+          (setuid? #t))
+        (privileged-program
+          (program (file-append inetutils "/bin/ping6"))
+          (setuid? #t))))