operating-systems: buer: Use privileged-programs instead of setuid-programs

2024-08-22 00:03:41 -03:00 · 2024-08-22 00:03:41 -03:00 · fc350ac313
parent 2f8f91a4c6
commit fc350ac313
2 changed files with 64 additions and 9 deletions
--- a/operating-systems/buer.scm
+++ b/operating-systems/buer.scm
@ -77,6 +77,8 @@
                      #:prefix build-machine:)
  #|C|# #:use-module ((buer channels)
                      #:prefix channel:)
+  #|P|# #:use-module ((buer privilege)
+                      #:prefix privileged-programs:)
  #|U|# #:use-module ((buer users)
                      #:prefix user:)

@ -166,15 +168,11 @@
   #|Do not generate a sudoers file|#
   (sudoers-file #f)

-   #|Run some programs from each package with file owner privileges|#
-   (setuid-programs
-    (map-setuid-programs
-      (shadow     `("passwd" "chfn" "sg" "su" "newgrp" "newuidmap" "newgidmap"))
-      (inetutils  `("ping" "ping6"))
-      (opendoas   `("doas"))
-      (fuse-2     `("fusermount"))
-      (fuse       `("fusermount3"))
-      (util-linux `("mount" "umount"))))
+   #|Run some programs from with file privileges|#
+   (privileged-programs
+     (append privileged-programs:authentication
+             privileged-programs:file-systems
+             privileged-programs:network))

   #|Allow resolution of '.local' host names with mDNS|#
   (name-service-switch %mdns-host-lookup-nss)
--- a/operating-systems/buer/privilege.scm
+++ b/operating-systems/buer/privilege.scm
@ -0,0 +1,57 @@
+(define-module (buer privilege)
+  #:use-module (gnu packages admin)
+  #:use-module (gnu packages linux)
+  #:use-module (gnu system privilege)
+  #:use-module (guix gexp)
+
+  #:export (authentication
+            file-systems
+            network))
+
+(define authentication
+  (list (privileged-program
+          (program (file-append opendoas "/bin/doas"))
+          (setuid? #t))
+        (privileged-program
+          (program (file-append shadow "/bin/passwd"))
+          (setuid? #t))
+        (privileged-program
+          (program (file-append shadow "/bin/chfn"))
+          (setuid? #t))
+        (privileged-program
+          (program (file-append shadow "/bin/sg"))
+          (setuid? #t))
+        (privileged-program
+          (program (file-append shadow "/bin/su"))
+          (setuid? #t))
+        (privileged-program
+          (program (file-append shadow "/bin/newgrp"))
+          (setuid? #t))
+        (privileged-program
+          (program (file-append shadow "/bin/newuidmap"))
+          (setuid? #t))
+        (privileged-program
+          (program (file-append shadow "/bin/newgidmap"))
+          (setuid? #t))))
+
+(define file-systems
+  (list (privileged-program
+          (program (file-append fuse "/bin/fusermount3"))
+          (setuid? #t))
+        (privileged-program
+          (program (file-append fuse-2 "/bin/fusermount"))
+          (setuid? #t))
+        (privileged-program
+          (program (file-append util-linux "/bin/mount"))
+          (setuid? #t))
+        (privileged-program
+          (program (file-append util-linux "/bin/umount"))
+          (setuid? #t))))
+
+(define network
+  (list (privileged-program
+          (program (file-append inetutils "/bin/ping"))
+          (setuid? #t))
+        (privileged-program
+          (program (file-append inetutils "/bin/ping6"))
+          (setuid? #t))))