diff options
author | Tobias Geerinckx-Rice <me@tobias.gr> | 2022-10-23 02:00:01 +0200 |
---|---|---|
committer | Tobias Geerinckx-Rice <me@tobias.gr> | 2024-08-11 02:00:00 +0200 |
commit | 4e58dfee6c7456d1e662f66041b8a157efe8710a (patch) | |
tree | dfe3b18e5feb938490108b9da3078e1aad220ade /gnu | |
parent | beb37ea4ad9999c28cfb60aca5d021851f9a1176 (diff) |
system: Add privileged-programs to <operating-system>.
* gnu/system.scm (<operating-system>): Add new privileged-programs
field, that defaults to…
(%default-privileged-programs): …this new variable, renamed from…
(%setuid-programs): …this, which is now defined as the empty list.
* doc/guix.texi (Setuid Programs): Rename this…
(Privileged Programs): …to this. Adjust all refs. Update all mentions
of ‘setuid’ (whether in prose, variable names, or code samples) to use
the new ‘privilege[d]’ terminology instead.
(operating-system Reference, X Window, Invoking guix system)
(Service Reference): Adjust likewise.
Diffstat (limited to 'gnu')
-rw-r--r-- | gnu/packages/crypto.scm | 2 | ||||
-rw-r--r-- | gnu/services.scm | 1 | ||||
-rw-r--r-- | gnu/system.scm | 21 |
3 files changed, 18 insertions, 6 deletions
diff --git a/gnu/packages/crypto.scm b/gnu/packages/crypto.scm index d5d32d72fb..b00dc8aa4c 100644 --- a/gnu/packages/crypto.scm +++ b/gnu/packages/crypto.scm @@ -504,7 +504,7 @@ total number of shares generated.") `(#:make-flags (list (string-append "PREFIX=" (assoc-ref %outputs "out"))) ;; The "sudo" input is needed only to satisfy dependency checks in the ;; 'check' phase. The "sudo" used at runtime should come from the - ;; system's setuid-programs, so ensure no reference is kept. + ;; system's privileged-programs, so ensure no reference is kept. #:disallowed-references (,sudo) ;; TODO: Build and install gtk and qt trays #:phases diff --git a/gnu/services.scm b/gnu/services.scm index 38692b3666..553ec93a6c 100644 --- a/gnu/services.scm +++ b/gnu/services.scm @@ -47,7 +47,6 @@ #:use-module (gnu packages bash) #:use-module (gnu packages hurd) #:use-module (gnu system privilege) - #:use-module (gnu system setuid) #:use-module (srfi srfi-1) #:use-module (srfi srfi-9) #:use-module (srfi srfi-9 gnu) diff --git a/gnu/system.scm b/gnu/system.scm index 4ac619d4ec..44f93f91d1 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -77,6 +77,7 @@ #:use-module (gnu system locale) #:use-module (gnu system pam) #:use-module (gnu system linux-initrd) + #:use-module (gnu system privilege) #:use-module (gnu system setuid) #:use-module (gnu system uuid) #:use-module (gnu system file-systems) @@ -130,6 +131,7 @@ operating-system-keyboard-layout operating-system-name-service-switch operating-system-pam-services + operating-system-privileged-programs operating-system-setuid-programs operating-system-skeletons operating-system-sudoers-file @@ -174,6 +176,7 @@ local-host-aliases ;deprecated %root-account + %default-privileged-programs %setuid-programs %sudoers-specification %base-packages @@ -301,7 +304,10 @@ VERSION is the target version of the boot-parameters record." (pam-services operating-system-pam-services ; list of PAM services (default (base-pam-services))) + (privileged-programs operating-system-privileged-programs ; list of <privileged-program> + (default %default-privileged-programs)) (setuid-programs operating-system-setuid-programs + ;; For backwards compatibility; will be removed. (default %setuid-programs)) ; list of <setuid-program> (sudoers-file operating-system-sudoers-file ; file-like @@ -821,7 +827,8 @@ bookkeeping." (service host-name-service-type host-name) procs root-fs (service privileged-program-service-type - (operating-system-setuid-programs os)) + (append (operating-system-privileged-programs os) + (operating-system-setuid-programs os))) (service profile-service-type (operating-system-packages os)) boot-fs non-boot-fs @@ -860,7 +867,8 @@ bookkeeping." (service hosts-service-type (local-host-entries host-name))) (service privileged-program-service-type - (operating-system-setuid-programs os)) + (append (operating-system-privileged-programs os) + (operating-system-setuid-programs os))) (service profile-service-type (operating-system-packages os))))) (define* (operating-system-services os) @@ -1239,8 +1247,7 @@ use 'plain-file' instead~%") ;; when /etc/machine-id is missing. Make sure these warnings are non-fatal. ("DBUS_FATAL_WARNINGS" . "0"))) -(define %setuid-programs - ;; Default set of setuid-root programs. +(define %default-privileged-programs (let ((shadow (@ (gnu packages admin) shadow))) (map file-like->setuid-program (list (file-append shadow "/bin/passwd") @@ -1262,6 +1269,12 @@ use 'plain-file' instead~%") (file-append util-linux "/bin/mount") (file-append util-linux "/bin/umount"))))) +(define %setuid-programs + ;; Do not add to this list or use it in new code! It's defined only to ease + ;; transition to %default-privileged-programs and will be removed. Some rare + ;; use cases already break, such as the obvious (remove … %setuid-programs). + '()) + (define %sudoers-specification ;; Default /etc/sudoers contents: 'root' and all members of the 'wheel' ;; group can do anything. See |