diff options
-rw-r--r-- | doc/guix-cookbook.texi | 10 | ||||
-rw-r--r-- | gnu/packages/containers.scm | 4 | ||||
-rw-r--r-- | gnu/packages/disk.scm | 6 | ||||
-rw-r--r-- | gnu/packages/mail.scm | 2 | ||||
-rw-r--r-- | gnu/packages/patches/enlightenment-fix-setuid-path.patch | 14 | ||||
-rw-r--r-- | gnu/packages/spice.scm | 2 | ||||
-rw-r--r-- | gnu/packages/xdisorg.scm | 18 |
7 files changed, 30 insertions, 26 deletions
diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi index da67921ad0..4c2b23786c 100644 --- a/doc/guix-cookbook.texi +++ b/doc/guix-cookbook.texi @@ -3791,13 +3791,15 @@ QEMU comes with a helper program to conveniently make use of a network bridge interface as an unprivileged user @pxref{Network options,,, QEMU, QEMU Documentation}. The binary must be made setuid root for proper operation; this can be achieved by adding it to the -@code{setuid-programs} field of your (host) @code{operating-system} +@code{privileged-programs} field of your (host) @code{operating-system} definition, as shown below: @example lisp -(setuid-programs - (cons (file-append qemu "/libexec/qemu-bridge-helper") - %setuid-programs)) +(privileged-programs + (cons (privileged-program + (program (file-append qemu "/libexec/qemu-bridge-helper")) + (setuid? #t)) + %default-privileged-programs)) @end example The file @file{/etc/qemu/bridge.conf} must also be made to allow the diff --git a/gnu/packages/containers.scm b/gnu/packages/containers.scm index 6ce9042c13..929234c772 100644 --- a/gnu/packages/containers.scm +++ b/gnu/packages/containers.scm @@ -536,7 +536,7 @@ Its main purpose is to support the key usage by @code{docker-init}: ,(string-append #$iptables "/sbin") ,(string-append #$passt "/bin") ,(string-append #$procps "/bin") ; ps - "/run/setuid-programs"))))) + "/run/privileged/bin"))))) (add-after 'install 'install-completions (lambda _ (invoke "make" "install.completions" @@ -669,7 +669,7 @@ being rootless and not requiring any daemon to be running.") (,(string-append #$crun "/bin") ,(string-append #$gcc "/bin") ; cpp ,(string-append #$passt "/bin") - "/run/setuid-programs"))))) + "/run/privileged/bin"))))) (add-after 'install 'install-completions (lambda _ (invoke "make" "install.completions" diff --git a/gnu/packages/disk.scm b/gnu/packages/disk.scm index d45da82276..ec8ea9a94f 100644 --- a/gnu/packages/disk.scm +++ b/gnu/packages/disk.scm @@ -209,9 +209,9 @@ and write-back caching.") (string-append "--sysconfdir=" (assoc-ref %outputs "out") "/etc") - ;; udevil expects these programs to be run with uid set as root. - ;; user has to manually add these programs to setuid-programs. - ;; mount and umount are default setuid-programs in guix system. + ;; udevil expects these programs to be run with an UID of root. + ;; mount and umount are %default-privileged-programs on Guix System; + ;; the others must be explicitly added if desired. "--with-mount-prog=/run/privileged/bin/mount" "--with-umount-prog=/run/privileged/bin/umount" "--with-losetup-prog=/run/privileged/bin/losetup" diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm index 1f24592834..3387d870b1 100644 --- a/gnu/packages/mail.scm +++ b/gnu/packages/mail.scm @@ -3327,7 +3327,7 @@ from the Cyrus IMAP project.") ;; avoids warning smtpd: couldn't enqueue offline message ;; smtpctl exited abnormally (substitute* "usr.sbin/smtpd/smtpd.h" - (("/usr/bin/smtpctl") "/run/setuid-programs/smtpctl")) + (("/usr/bin/smtpctl") "/run/privileged/bin/smtpctl")) (substitute* "usr.sbin/smtpd/smtpctl.c" ;; ‘gzcat’ is auto-detected at compile time, but ‘cat’ isn't. (("/bin/cat" file) (search-input-file inputs file))) diff --git a/gnu/packages/patches/enlightenment-fix-setuid-path.patch b/gnu/packages/patches/enlightenment-fix-setuid-path.patch index e4f98de7c8..7233b91da8 100644 --- a/gnu/packages/patches/enlightenment-fix-setuid-path.patch +++ b/gnu/packages/patches/enlightenment-fix-setuid-path.patch @@ -10,7 +10,7 @@ index 6d07a0ac3..31e0e728f 100644 snprintf(buf, sizeof(buf), - "%s/enlightenment/utils/enlightenment_ckpasswd pw", - e_prefix_lib_get()); -+ "/run/setuid-programs/enlightenment_ckpasswd pw"); ++ "/run/privileged/bin/enlightenment_ckpasswd pw"); exe = ecore_exe_pipe_run(buf, ECORE_EXE_PIPE_WRITE, NULL); if (!exe) goto out; snprintf(buf, sizeof(buf), "pw %s", passwd); @@ -20,7 +20,7 @@ index 6d07a0ac3..31e0e728f 100644 snprintf(buf, sizeof(buf), - "%s/enlightenment/utils/enlightenment_ckpasswd pk", - e_prefix_lib_get()); -+ "/run/setuid-programs/enlightenment_ckpasswd pk"); ++ "/run/privileged/bin/enlightenment_ckpasswd pk"); exe = ecore_exe_pipe_run(buf, ECORE_EXE_PIPE_WRITE, NULL); if (!exe) goto out; snprintf(buf, sizeof(buf), "%s %u %s", cookie, uid, passwd); @@ -33,7 +33,7 @@ index 9b10b3117..74e6b72ad 100644 char buf[PATH_MAX]; - snprintf(buf, sizeof(buf), "%s/enlightenment/utils/enlightenment_sys", eina_prefix_lib_get(pfx)); -+ snprintf(buf, sizeof(buf), "/run/setuid-programs/enlightenment_sys"); ++ snprintf(buf, sizeof(buf), "/run/privileged/bin/enlightenment_sys"); eeze_disk_mount_wrapper_set(v->disk, buf); } v->guard = ecore_timer_loop_add(E_FM_EJECT_TIMEOUT, (Ecore_Task_Cb)_e_fm_main_eeze_vol_eject_timeout, v); @@ -42,7 +42,7 @@ index 9b10b3117..74e6b72ad 100644 char buf[PATH_MAX]; - snprintf(buf, sizeof(buf), "%s/enlightenment/utils/enlightenment_sys", eina_prefix_lib_get(pfx)); -+ snprintf(buf, sizeof(buf), "/run/setuid-programs/enlightenment_sys"); ++ snprintf(buf, sizeof(buf), "/run/privileged/bin/enlightenment_sys"); eeze_disk_mount_wrapper_set(v->disk, buf); } v->guard = ecore_timer_loop_add(E_FM_UNMOUNT_TIMEOUT, (Ecore_Task_Cb)_e_fm_main_eeze_vol_unmount_timeout, v); @@ -51,7 +51,7 @@ index 9b10b3117..74e6b72ad 100644 char buf2[PATH_MAX]; - snprintf(buf2, sizeof(buf2), "%s/enlightenment/utils/enlightenment_sys", eina_prefix_lib_get(pfx)); -+ snprintf(buf2, sizeof(buf2), "/run/setuid-programs/enlightenment_sys"); ++ snprintf(buf2, sizeof(buf2), "/run/privileged/bin/enlightenment_sys"); eeze_disk_mount_wrapper_set(v->disk, buf2); } v->guard = ecore_timer_loop_add(E_FM_MOUNT_TIMEOUT, (Ecore_Task_Cb)_e_fm_main_eeze_vol_mount_timeout, v); @@ -65,7 +65,7 @@ index 722063339..2da2d5a23 100644 myasprintf(&buf3, - "E_ALERT_SYSTEM_BIN=%s/enlightenment/utils/enlightenment_system", - eina_prefix_lib_get(pfx)); -+ "E_ALERT_SYSTEM_BIN=/run/setuid-programs/enlightenment_system"); ++ "E_ALERT_SYSTEM_BIN=/run/privileged/bin/enlightenment_system"); putenv(buf3); home = getenv("HOME"); @@ -78,7 +78,7 @@ index bfd43e7e2..45d78b7ed 100644 if (_respawn_count > 5) return; snprintf(buf, sizeof(buf), - "%s/enlightenment/utils/enlightenment_system", e_prefix_lib_get()); -+ "/run/setuid-programs/enlightenment_system"); ++ "/run/privileged/bin/enlightenment_system"); _system_exe = ecore_exe_pipe_run (buf, ECORE_EXE_NOT_LEADER | ECORE_EXE_TERM_WITH_PARENT | ECORE_EXE_PIPE_READ | ECORE_EXE_PIPE_WRITE, NULL); diff --git a/gnu/packages/spice.scm b/gnu/packages/spice.scm index 860b77cf5d..5c7b9c1674 100644 --- a/gnu/packages/spice.scm +++ b/gnu/packages/spice.scm @@ -172,7 +172,7 @@ which allows users to view a desktop computing environment.") ;; variable. (substitute* "src/usb-acl-helper.c" (("ACL_HELPER_PATH\"/spice-client-glib-usb-acl-helper\"") - "\"/run/setuid-programs/spice-client-glib-usb-acl-helper\"")))) + "\"/run/privileged/bin/spice-client-glib-usb-acl-helper\"")))) (add-before 'configure 'correct-polkit-dir (lambda _ (substitute* "meson.build" diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm index 455f9170b2..180a08d13b 100644 --- a/gnu/packages/xdisorg.scm +++ b/gnu/packages/xdisorg.scm @@ -17,7 +17,7 @@ ;;; Copyright © 2016 Petter <petter@mykolab.ch> ;;; Copyright © 2017 Mekeor Melire <mekeor.melire@gmail.com> ;;; Copyright © 2017 Nikita <nikita@n0.is> -;;; Copyright © 2017–2021 Tobias Geerinckx-Rice <me@tobias.gr> +;;; Copyright © 2017–2021, 2024 Tobias Geerinckx-Rice <me@tobias.gr> ;;; Copyright © 2017 Marek Benc <dusxmt@gmx.com> ;;; Copyright © 2017 Mike Gerwitz <mtg@gnu.org> ;;; Copyright © 2018 Thomas Sigurdsen <tonton@riseup.net> @@ -2730,15 +2730,17 @@ temperature of the screen.") (description "@code{xsecurelock} is an X11 screen locker which uses a modular design to avoid the usual pitfalls of screen locking utility design. -As a consequence of the modular design, the usual screen locker service -shouldn't be used with @code{xsecurelock}. Instead, you need to add a helper -binary to setuid-binaries: +As a consequence of this design, you shouldn't use the usual screen locker +service with @code{xsecurelock}. Instead, add a helper binary to your +@code{operating-system}'s @code{privileged-programs} field: + @example -(setuid-programs +(privileged-programs (cons* - (setuid-program - (program (file-append xsecurelock \"/libexec/xsecurelock/authproto_pam\"))) - %setuid-programs)) + (privileged-program + (program (file-append xsecurelock \"/libexec/xsecurelock/authproto_pam\")) + (setuid? #t)) + %default-privileged-programs)) @end example") (license license:asl2.0))) |