GNU bug report logs -
#31814
setuid programs are not first in PATH
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 31814 in the body.
You can then email your comments to 31814 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#31814; Package
guix.
(Wed, 13 Jun 2018 14:34:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Clément Lassieur <clement <at> lassieur.org>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Wed, 13 Jun 2018 14:34:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hi,
sourcing /etc/profile
- prepends /run/setuid-programs to $PATH
- then sources $HOME/.guix-profile/etc/profile
and sourcing $HOME/.guix-profile/etc/profile
- prepends $HOME/.guix-profile/bin to $PATH
- prepends $HOME/.guix-profile/sbin to $PATH
so in the end, $PATH looks like:
~/.config/guix/current/bin:~/.guix-profile/bin:~/.guix-profile/sbin:/run/setuid-programs:...
and a command like 'ping' is found in ~/.guix-profile/bin, which makes
it unusable.
Clément
Information forwarded
to
bug-guix <at> gnu.org:
bug#31814; Package
guix.
(Wed, 13 Jun 2018 15:01:02 GMT)
Full text and
rfc822 format available.
Message #8 received at submit <at> debbugs.gnu.org (full text, mbox):
Clément Lassieur <clement <at> lassieur.org> writes:
> Hi,
>
> sourcing /etc/profile
>
> - prepends /run/setuid-programs to $PATH
> - then sources $HOME/.guix-profile/etc/profile
>
> and sourcing $HOME/.guix-profile/etc/profile
>
> - prepends $HOME/.guix-profile/bin to $PATH
> - prepends $HOME/.guix-profile/sbin to $PATH
>
> so in the end, $PATH looks like:
>
> ~/.config/guix/current/bin:~/.guix-profile/bin:~/.guix-profile/sbin:/run/setuid-programs:...
>
> and a command like 'ping' is found in ~/.guix-profile/bin, which makes
> it unusable.
I'm probably being really silly, but shouldn't it still work? I mean
~/.guix-profile/bin is still in your path right?
>
> Clément
Information forwarded
to
bug-guix <at> gnu.org:
bug#31814; Package
guix.
(Wed, 13 Jun 2018 15:07:01 GMT)
Full text and
rfc822 format available.
Message #11 received at submit <at> debbugs.gnu.org (full text, mbox):
Le 2018-06-13 17:05, Joshua Branson a écrit :
> Clément Lassieur <clement <at> lassieur.org> writes:
>
>> Hi,
>>
>> sourcing /etc/profile
>>
>> - prepends /run/setuid-programs to $PATH
>> - then sources $HOME/.guix-profile/etc/profile
>>
>> and sourcing $HOME/.guix-profile/etc/profile
>>
>> - prepends $HOME/.guix-profile/bin to $PATH
>> - prepends $HOME/.guix-profile/sbin to $PATH
>>
>> so in the end, $PATH looks like:
>>
>> ~/.config/guix/current/bin:~/.guix-profile/bin:~/.guix-profile/sbin:/run/setuid-programs:...
>>
>> and a command like 'ping' is found in ~/.guix-profile/bin, which makes
>> it unusable.
>
> I'm probably being really silly, but shouldn't it still work? I mean
> ~/.guix-profile/bin is still in your path right?
The ping from ~/.guix-profile/bin is not setuid, contrary to the ping in
/run/setuid-programs. This is necessary for users to run ping.
>
>>
>> Clément
Information forwarded
to
bug-guix <at> gnu.org:
bug#31814; Package
guix.
(Wed, 13 Jun 2018 15:08:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 31814 <at> debbugs.gnu.org (full text, mbox):
Joshua Branson <jbranso <at> fastmail.com> writes:
> Clément Lassieur <clement <at> lassieur.org> writes:
>
>> Hi,
>>
>> sourcing /etc/profile
>>
>> - prepends /run/setuid-programs to $PATH
>> - then sources $HOME/.guix-profile/etc/profile
>>
>> and sourcing $HOME/.guix-profile/etc/profile
>>
>> - prepends $HOME/.guix-profile/bin to $PATH
>> - prepends $HOME/.guix-profile/sbin to $PATH
>>
>> so in the end, $PATH looks like:
>>
>> ~/.config/guix/current/bin:~/.guix-profile/bin:~/.guix-profile/sbin:/run/setuid-programs:...
>>
>> and a command like 'ping' is found in ~/.guix-profile/bin, which makes
>> it unusable.
>
> I'm probably being really silly, but shouldn't it still work? I mean
> ~/.guix-profile/bin is still in your path right?
Yes, but ~/.guix-profile/bin/ping (which is the one being chosen)
doesn't have the setuid flag, so it doesn't work.
Information forwarded
to
bug-guix <at> gnu.org:
bug#31814; Package
guix.
(Thu, 14 Jun 2018 13:56:02 GMT)
Full text and
rfc822 format available.
Message #17 received at submit <at> debbugs.gnu.org (full text, mbox):
Clément Lassieur <clement <at> lassieur.org> writes:
> Joshua Branson <jbranso <at> fastmail.com> writes:
>
>> Clément Lassieur <clement <at> lassieur.org> writes:
>>
>>> Hi,
>>>
>>> sourcing /etc/profile
>>>
>>> - prepends /run/setuid-programs to $PATH
>>> - then sources $HOME/.guix-profile/etc/profile
>>>
>>> and sourcing $HOME/.guix-profile/etc/profile
>>>
>>> - prepends $HOME/.guix-profile/bin to $PATH
>>> - prepends $HOME/.guix-profile/sbin to $PATH
>>>
>>> so in the end, $PATH looks like:
>>>
>>> ~/.config/guix/current/bin:~/.guix-profile/bin:~/.guix-profile/sbin:/run/setuid-programs:...
>>>
>>> and a command like 'ping' is found in ~/.guix-profile/bin, which makes
>>> it unusable.
>>
>> I'm probably being really silly, but shouldn't it still work? I mean
>> ~/.guix-profile/bin is still in your path right?
>
> Yes, but ~/.guix-profile/bin/ping (which is the one being chosen)
> doesn't have the setuid flag, so it doesn't work.
Oh. I didn't realize that the ping command was a setuid program. cool.
Information forwarded
to
bug-guix <at> gnu.org:
bug#31814; Package
guix.
(Sat, 16 Jun 2018 09:36:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 31814 <at> debbugs.gnu.org (full text, mbox):
Clément Lassieur <clement <at> lassieur.org> writes:
> Hi,
>
> sourcing /etc/profile
>
> - prepends /run/setuid-programs to $PATH
> - then sources $HOME/.guix-profile/etc/profile
>
> and sourcing $HOME/.guix-profile/etc/profile
>
> - prepends $HOME/.guix-profile/bin to $PATH
> - prepends $HOME/.guix-profile/sbin to $PATH
>
> so in the end, $PATH looks like:
>
> ~/.config/guix/current/bin:~/.guix-profile/bin:~/.guix-profile/sbin:/run/setuid-programs:...
>
> and a command like 'ping' is found in ~/.guix-profile/bin, which makes
> it unusable.
What package in your profile provides “ping”?
--
Ricardo
Information forwarded
to
bug-guix <at> gnu.org:
bug#31814; Package
guix.
(Sat, 16 Jun 2018 22:36:01 GMT)
Full text and
rfc822 format available.
Message #23 received at 31814 <at> debbugs.gnu.org (full text, mbox):
Ricardo Wurmus <rekado <at> elephly.net> writes:
> What package in your profile provides “ping”?
inetutils
Information forwarded
to
bug-guix <at> gnu.org:
bug#31814; Package
guix.
(Sun, 17 Jun 2018 21:08:01 GMT)
Full text and
rfc822 format available.
Message #26 received at 31814 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hello Clément,
Clément Lassieur <clement <at> lassieur.org> skribis:
> sourcing /etc/profile
>
> - prepends /run/setuid-programs to $PATH
> - then sources $HOME/.guix-profile/etc/profile
>
> and sourcing $HOME/.guix-profile/etc/profile
>
> - prepends $HOME/.guix-profile/bin to $PATH
> - prepends $HOME/.guix-profile/sbin to $PATH
>
> so in the end, $PATH looks like:
>
> ~/.config/guix/current/bin:~/.guix-profile/bin:~/.guix-profile/sbin:/run/setuid-programs:...
>
> and a command like 'ping' is found in ~/.guix-profile/bin, which makes
> it unusable.
AFAICS this is not a regression, but it can be fixed this way:
[Message part 2 (text/x-patch, inline)]
diff --git a/gnu/system.scm b/gnu/system.scm
index 7cb12a827..d367307a2 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -616,9 +616,6 @@ unset PATH
GUIX_PROFILE=/run/current-system/profile ; \\
. /run/current-system/profile/etc/profile
-# Prepend setuid programs.
-export PATH=/run/setuid-programs:$PATH
-
# Since 'lshd' does not use pam_env, /etc/environment must be explicitly
# loaded when someone logs in via SSH. See <http://bugs.gnu.org/22175>.
# We need 'PATH' to be defined here, for 'cat' and 'cut'. Do this before
@@ -645,6 +642,9 @@ do
fi
done
+# Prepend setuid programs.
+export PATH=/run/setuid-programs:$PATH
+
# Arrange so that ~/.config/guix/current/share/info comes first.
export INFOPATH=\"$HOME/.config/guix/current/share/info:$INFOPATH\"
[Message part 3 (text/plain, inline)]
In the example you give (inetutils), I suppose users want
/run/setuid-programs/ping to come first. I wonder if there are
situations where the current behavior is desirable; maybe not.
Thoughts?
Thanks,
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#31814; Package
guix.
(Mon, 18 Jun 2018 06:17:02 GMT)
Full text and
rfc822 format available.
Message #29 received at 31814 <at> debbugs.gnu.org (full text, mbox):
Hello Ludovic,
Ludovic Courtès <ludo <at> gnu.org> writes:
> Hello Clément,
>
> Clément Lassieur <clement <at> lassieur.org> skribis:
>
>> sourcing /etc/profile
>>
>> - prepends /run/setuid-programs to $PATH
>> - then sources $HOME/.guix-profile/etc/profile
>>
>> and sourcing $HOME/.guix-profile/etc/profile
>>
>> - prepends $HOME/.guix-profile/bin to $PATH
>> - prepends $HOME/.guix-profile/sbin to $PATH
>>
>> so in the end, $PATH looks like:
>>
>> ~/.config/guix/current/bin:~/.guix-profile/bin:~/.guix-profile/sbin:/run/setuid-programs:...
>>
>> and a command like 'ping' is found in ~/.guix-profile/bin, which makes
>> it unusable.
>
> AFAICS this is not a regression, but it can be fixed this way:
No it's not a regression. I've had the fix locally for a long time.
> diff --git a/gnu/system.scm b/gnu/system.scm
> index 7cb12a827..d367307a2 100644
> --- a/gnu/system.scm
> +++ b/gnu/system.scm
> @@ -616,9 +616,6 @@ unset PATH
> GUIX_PROFILE=/run/current-system/profile ; \\
> . /run/current-system/profile/etc/profile
>
> -# Prepend setuid programs.
> -export PATH=/run/setuid-programs:$PATH
> -
> # Since 'lshd' does not use pam_env, /etc/environment must be explicitly
> # loaded when someone logs in via SSH. See <http://bugs.gnu.org/22175>.
> # We need 'PATH' to be defined here, for 'cat' and 'cut'. Do this before
> @@ -645,6 +642,9 @@ do
> fi
> done
>
> +# Prepend setuid programs.
> +export PATH=/run/setuid-programs:$PATH
> +
> # Arrange so that ~/.config/guix/current/share/info comes first.
> export INFOPATH=\"$HOME/.config/guix/current/share/info:$INFOPATH\"
Yes this sounds good.
> In the example you give (inetutils), I suppose users want
> /run/setuid-programs/ping to come first. I wonder if there are
> situations where the current behavior is desirable; maybe not.
>
> Thoughts?
I can't think of any situations where the current behavior is desirable.
Thank you,
Clément
Information forwarded
to
bug-guix <at> gnu.org:
bug#31814; Package
guix.
(Mon, 18 Jun 2018 13:41:02 GMT)
Full text and
rfc822 format available.
Message #32 received at 31814 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
ludo <at> gnu.org (Ludovic Courtès) writes:
> In the example you give (inetutils), I suppose users want
> /run/setuid-programs/ping to come first. I wonder if there are
> situations where the current behavior is desirable; maybe not.
The only cases I can think of involve 'sudo'.
But it's easier to work around that, than the other way around.
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
ludo <at> gnu.org (Ludovic Courtès):
You have taken responsibility.
(Tue, 19 Jun 2018 09:30:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Clément Lassieur <clement <at> lassieur.org>:
bug acknowledged by developer.
(Tue, 19 Jun 2018 09:30:02 GMT)
Full text and
rfc822 format available.
Message #37 received at 31814-done <at> debbugs.gnu.org (full text, mbox):
Hello,
Clément Lassieur <clement <at> lassieur.org> skribis:
> Ludovic Courtès <ludo <at> gnu.org> writes:
[...]
>> diff --git a/gnu/system.scm b/gnu/system.scm
>> index 7cb12a827..d367307a2 100644
>> --- a/gnu/system.scm
>> +++ b/gnu/system.scm
>> @@ -616,9 +616,6 @@ unset PATH
>> GUIX_PROFILE=/run/current-system/profile ; \\
>> . /run/current-system/profile/etc/profile
>>
>> -# Prepend setuid programs.
>> -export PATH=/run/setuid-programs:$PATH
>> -
>> # Since 'lshd' does not use pam_env, /etc/environment must be explicitly
>> # loaded when someone logs in via SSH. See <http://bugs.gnu.org/22175>.
>> # We need 'PATH' to be defined here, for 'cat' and 'cut'. Do this before
>> @@ -645,6 +642,9 @@ do
>> fi
>> done
>>
>> +# Prepend setuid programs.
>> +export PATH=/run/setuid-programs:$PATH
>> +
>> # Arrange so that ~/.config/guix/current/share/info comes first.
>> export INFOPATH=\"$HOME/.config/guix/current/share/info:$INFOPATH\"
>
> Yes this sounds good.
Pushed as a854525a34c42622a3945ffeb36781ae48a8267e.
Thanks,
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#31814; Package
guix.
(Tue, 19 Jun 2018 10:27:01 GMT)
Full text and
rfc822 format available.
Message #40 received at 31814-done <at> debbugs.gnu.org (full text, mbox):
Ludovic Courtès <ludo <at> gnu.org> writes:
> Hello,
>
> Clément Lassieur <clement <at> lassieur.org> skribis:
>
>> Ludovic Courtès <ludo <at> gnu.org> writes:
>
> [...]
>
>>> diff --git a/gnu/system.scm b/gnu/system.scm
>>> index 7cb12a827..d367307a2 100644
>>> --- a/gnu/system.scm
>>> +++ b/gnu/system.scm
>>> @@ -616,9 +616,6 @@ unset PATH
>>> GUIX_PROFILE=/run/current-system/profile ; \\
>>> . /run/current-system/profile/etc/profile
>>>
>>> -# Prepend setuid programs.
>>> -export PATH=/run/setuid-programs:$PATH
>>> -
>>> # Since 'lshd' does not use pam_env, /etc/environment must be explicitly
>>> # loaded when someone logs in via SSH. See <http://bugs.gnu.org/22175>.
>>> # We need 'PATH' to be defined here, for 'cat' and 'cut'. Do this before
>>> @@ -645,6 +642,9 @@ do
>>> fi
>>> done
>>>
>>> +# Prepend setuid programs.
>>> +export PATH=/run/setuid-programs:$PATH
>>> +
>>> # Arrange so that ~/.config/guix/current/share/info comes first.
>>> export INFOPATH=\"$HOME/.config/guix/current/share/info:$INFOPATH\"
>>
>> Yes this sounds good.
>
> Pushed as a854525a34c42622a3945ffeb36781ae48a8267e.
Thank you!
Clément
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 17 Jul 2018 11:24:03 GMT)
Full text and
rfc822 format available.
This bug report was last modified 5 years and 285 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.