aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc/guix-cookbook.texi10
-rw-r--r--gnu/packages/containers.scm4
-rw-r--r--gnu/packages/disk.scm6
-rw-r--r--gnu/packages/mail.scm2
-rw-r--r--gnu/packages/patches/enlightenment-fix-setuid-path.patch14
-rw-r--r--gnu/packages/spice.scm2
-rw-r--r--gnu/packages/xdisorg.scm18
7 files changed, 30 insertions, 26 deletions
diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index da67921ad0..4c2b23786c 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -3791,13 +3791,15 @@ QEMU comes with a helper program to conveniently make use of a network
bridge interface as an unprivileged user @pxref{Network options,,, QEMU,
QEMU Documentation}. The binary must be made setuid root for proper
operation; this can be achieved by adding it to the
-@code{setuid-programs} field of your (host) @code{operating-system}
+@code{privileged-programs} field of your (host) @code{operating-system}
definition, as shown below:
@example lisp
-(setuid-programs
- (cons (file-append qemu "/libexec/qemu-bridge-helper")
- %setuid-programs))
+(privileged-programs
+ (cons (privileged-program
+ (program (file-append qemu "/libexec/qemu-bridge-helper"))
+ (setuid? #t))
+ %default-privileged-programs))
@end example
The file @file{/etc/qemu/bridge.conf} must also be made to allow the
diff --git a/gnu/packages/containers.scm b/gnu/packages/containers.scm
index 6ce9042c13..929234c772 100644
--- a/gnu/packages/containers.scm
+++ b/gnu/packages/containers.scm
@@ -536,7 +536,7 @@ Its main purpose is to support the key usage by @code{docker-init}:
,(string-append #$iptables "/sbin")
,(string-append #$passt "/bin")
,(string-append #$procps "/bin") ; ps
- "/run/setuid-programs")))))
+ "/run/privileged/bin")))))
(add-after 'install 'install-completions
(lambda _
(invoke "make" "install.completions"
@@ -669,7 +669,7 @@ being rootless and not requiring any daemon to be running.")
(,(string-append #$crun "/bin")
,(string-append #$gcc "/bin") ; cpp
,(string-append #$passt "/bin")
- "/run/setuid-programs")))))
+ "/run/privileged/bin")))))
(add-after 'install 'install-completions
(lambda _
(invoke "make" "install.completions"
diff --git a/gnu/packages/disk.scm b/gnu/packages/disk.scm
index d45da82276..ec8ea9a94f 100644
--- a/gnu/packages/disk.scm
+++ b/gnu/packages/disk.scm
@@ -209,9 +209,9 @@ and write-back caching.")
(string-append "--sysconfdir="
(assoc-ref %outputs "out")
"/etc")
- ;; udevil expects these programs to be run with uid set as root.
- ;; user has to manually add these programs to setuid-programs.
- ;; mount and umount are default setuid-programs in guix system.
+ ;; udevil expects these programs to be run with an UID of root.
+ ;; mount and umount are %default-privileged-programs on Guix System;
+ ;; the others must be explicitly added if desired.
"--with-mount-prog=/run/privileged/bin/mount"
"--with-umount-prog=/run/privileged/bin/umount"
"--with-losetup-prog=/run/privileged/bin/losetup"
diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm
index 1f24592834..3387d870b1 100644
--- a/gnu/packages/mail.scm
+++ b/gnu/packages/mail.scm
@@ -3327,7 +3327,7 @@ from the Cyrus IMAP project.")
;; avoids warning smtpd: couldn't enqueue offline message
;; smtpctl exited abnormally
(substitute* "usr.sbin/smtpd/smtpd.h"
- (("/usr/bin/smtpctl") "/run/setuid-programs/smtpctl"))
+ (("/usr/bin/smtpctl") "/run/privileged/bin/smtpctl"))
(substitute* "usr.sbin/smtpd/smtpctl.c"
;; ‘gzcat’ is auto-detected at compile time, but ‘cat’ isn't.
(("/bin/cat" file) (search-input-file inputs file)))
diff --git a/gnu/packages/patches/enlightenment-fix-setuid-path.patch b/gnu/packages/patches/enlightenment-fix-setuid-path.patch
index e4f98de7c8..7233b91da8 100644
--- a/gnu/packages/patches/enlightenment-fix-setuid-path.patch
+++ b/gnu/packages/patches/enlightenment-fix-setuid-path.patch
@@ -10,7 +10,7 @@ index 6d07a0ac3..31e0e728f 100644
snprintf(buf, sizeof(buf),
- "%s/enlightenment/utils/enlightenment_ckpasswd pw",
- e_prefix_lib_get());
-+ "/run/setuid-programs/enlightenment_ckpasswd pw");
++ "/run/privileged/bin/enlightenment_ckpasswd pw");
exe = ecore_exe_pipe_run(buf, ECORE_EXE_PIPE_WRITE, NULL);
if (!exe) goto out;
snprintf(buf, sizeof(buf), "pw %s", passwd);
@@ -20,7 +20,7 @@ index 6d07a0ac3..31e0e728f 100644
snprintf(buf, sizeof(buf),
- "%s/enlightenment/utils/enlightenment_ckpasswd pk",
- e_prefix_lib_get());
-+ "/run/setuid-programs/enlightenment_ckpasswd pk");
++ "/run/privileged/bin/enlightenment_ckpasswd pk");
exe = ecore_exe_pipe_run(buf, ECORE_EXE_PIPE_WRITE, NULL);
if (!exe) goto out;
snprintf(buf, sizeof(buf), "%s %u %s", cookie, uid, passwd);
@@ -33,7 +33,7 @@ index 9b10b3117..74e6b72ad 100644
char buf[PATH_MAX];
- snprintf(buf, sizeof(buf), "%s/enlightenment/utils/enlightenment_sys", eina_prefix_lib_get(pfx));
-+ snprintf(buf, sizeof(buf), "/run/setuid-programs/enlightenment_sys");
++ snprintf(buf, sizeof(buf), "/run/privileged/bin/enlightenment_sys");
eeze_disk_mount_wrapper_set(v->disk, buf);
}
v->guard = ecore_timer_loop_add(E_FM_EJECT_TIMEOUT, (Ecore_Task_Cb)_e_fm_main_eeze_vol_eject_timeout, v);
@@ -42,7 +42,7 @@ index 9b10b3117..74e6b72ad 100644
char buf[PATH_MAX];
- snprintf(buf, sizeof(buf), "%s/enlightenment/utils/enlightenment_sys", eina_prefix_lib_get(pfx));
-+ snprintf(buf, sizeof(buf), "/run/setuid-programs/enlightenment_sys");
++ snprintf(buf, sizeof(buf), "/run/privileged/bin/enlightenment_sys");
eeze_disk_mount_wrapper_set(v->disk, buf);
}
v->guard = ecore_timer_loop_add(E_FM_UNMOUNT_TIMEOUT, (Ecore_Task_Cb)_e_fm_main_eeze_vol_unmount_timeout, v);
@@ -51,7 +51,7 @@ index 9b10b3117..74e6b72ad 100644
char buf2[PATH_MAX];
- snprintf(buf2, sizeof(buf2), "%s/enlightenment/utils/enlightenment_sys", eina_prefix_lib_get(pfx));
-+ snprintf(buf2, sizeof(buf2), "/run/setuid-programs/enlightenment_sys");
++ snprintf(buf2, sizeof(buf2), "/run/privileged/bin/enlightenment_sys");
eeze_disk_mount_wrapper_set(v->disk, buf2);
}
v->guard = ecore_timer_loop_add(E_FM_MOUNT_TIMEOUT, (Ecore_Task_Cb)_e_fm_main_eeze_vol_mount_timeout, v);
@@ -65,7 +65,7 @@ index 722063339..2da2d5a23 100644
myasprintf(&buf3,
- "E_ALERT_SYSTEM_BIN=%s/enlightenment/utils/enlightenment_system",
- eina_prefix_lib_get(pfx));
-+ "E_ALERT_SYSTEM_BIN=/run/setuid-programs/enlightenment_system");
++ "E_ALERT_SYSTEM_BIN=/run/privileged/bin/enlightenment_system");
putenv(buf3);
home = getenv("HOME");
@@ -78,7 +78,7 @@ index bfd43e7e2..45d78b7ed 100644
if (_respawn_count > 5) return;
snprintf(buf, sizeof(buf),
- "%s/enlightenment/utils/enlightenment_system", e_prefix_lib_get());
-+ "/run/setuid-programs/enlightenment_system");
++ "/run/privileged/bin/enlightenment_system");
_system_exe = ecore_exe_pipe_run
(buf, ECORE_EXE_NOT_LEADER | ECORE_EXE_TERM_WITH_PARENT |
ECORE_EXE_PIPE_READ | ECORE_EXE_PIPE_WRITE, NULL);
diff --git a/gnu/packages/spice.scm b/gnu/packages/spice.scm
index 860b77cf5d..5c7b9c1674 100644
--- a/gnu/packages/spice.scm
+++ b/gnu/packages/spice.scm
@@ -172,7 +172,7 @@ which allows users to view a desktop computing environment.")
;; variable.
(substitute* "src/usb-acl-helper.c"
(("ACL_HELPER_PATH\"/spice-client-glib-usb-acl-helper\"")
- "\"/run/setuid-programs/spice-client-glib-usb-acl-helper\""))))
+ "\"/run/privileged/bin/spice-client-glib-usb-acl-helper\""))))
(add-before 'configure 'correct-polkit-dir
(lambda _
(substitute* "meson.build"
diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index 455f9170b2..180a08d13b 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -17,7 +17,7 @@
;;; Copyright © 2016 Petter <petter@mykolab.ch>
;;; Copyright © 2017 Mekeor Melire <mekeor.melire@gmail.com>
;;; Copyright © 2017 Nikita <nikita@n0.is>
-;;; Copyright © 2017–2021 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2017–2021, 2024 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2017 Marek Benc <dusxmt@gmx.com>
;;; Copyright © 2017 Mike Gerwitz <mtg@gnu.org>
;;; Copyright © 2018 Thomas Sigurdsen <tonton@riseup.net>
@@ -2730,15 +2730,17 @@ temperature of the screen.")
(description "@code{xsecurelock} is an X11 screen locker which uses
a modular design to avoid the usual pitfalls of screen locking utility design.
-As a consequence of the modular design, the usual screen locker service
-shouldn't be used with @code{xsecurelock}. Instead, you need to add a helper
-binary to setuid-binaries:
+As a consequence of this design, you shouldn't use the usual screen locker
+service with @code{xsecurelock}. Instead, add a helper binary to your
+@code{operating-system}'s @code{privileged-programs} field:
+
@example
-(setuid-programs
+(privileged-programs
(cons*
- (setuid-program
- (program (file-append xsecurelock \"/libexec/xsecurelock/authproto_pam\")))
- %setuid-programs))
+ (privileged-program
+ (program (file-append xsecurelock \"/libexec/xsecurelock/authproto_pam\"))
+ (setuid? #t))
+ %default-privileged-programs))
@end example")
(license license:asl2.0)))