GNU bug report logs - #38884
guix system roll-back doesn't roll setuid-programs back

Previous Next

Package: guix;

Reported by: Jakub Kądziołka <kuba <at> kadziolka.net>

Date: Fri, 3 Jan 2020 00:49:02 UTC

Owned by: Jakub Kądziołka <kuba <at> kadziolka.net>

Severity: important

Tags: security

Done: Brice Waegeneire <brice <at> waegenei.re>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 38884 in the body.
You can then email your comments to 38884 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#38884; Package guix. (Fri, 03 Jan 2020 00:49:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Jakub Kądziołka <kuba <at> kadziolka.net>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Fri, 03 Jan 2020 00:49:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Jakub Kądziołka <kuba <at> kadziolka.net>
To: bug-guix <at> gnu.org
Subject: guix system roll-back doesn't roll setuid-programs back
Date: Fri, 3 Jan 2020 01:48:03 +0100

Steps to reproduce:

1. Add a setuid program to your config:

(setuid-programs (cons*
                   (file-append hello "/bin/hello")
                   %setuid-programs))

2. guix system reconfigure
3. Observe that /run/setuid-programs/hello got created
4. Undo the configuration change
5. guix system reconfigure
6. Observe that /run/setuid-programs/hello no longer exists
7. guix system roll-back

Expected behavior:
/run/setuid-programs/hello appears again

Actual behavior:
/run/setuid-programs/hello still doesn't exist

Similarly, when roll-back is supposed to remove a file, it doesn't.

Previously mentioned in https://debbugs.gnu.org/38800.

Regards,
Jakub Kądziołka
Owner recorded as Jakub Kądziołka <kuba <at> kadziolka.net>. Request was from Jakub Kądziołka <kuba <at> kadziolka.net> to control <at> debbugs.gnu.org. (Tue, 14 Jan 2020 00:03:02 GMT) Full text and rfc822 format available.
Severity set to 'important' from 'normal' Request was from Ludovic Courtès <ludo <at> gnu.org> to control <at> debbugs.gnu.org. (Mon, 29 Jun 2020 20:08:02 GMT) Full text and rfc822 format available.
Added tag(s) security. Request was from Ludovic Courtès <ludo <at> gnu.org> to control <at> debbugs.gnu.org. (Mon, 29 Jun 2020 20:08:02 GMT) Full text and rfc822 format available.
Information forwarded to bug-guix <at> gnu.org, Jakub Kądziołka <kuba <at> kadziolka.net>:
bug#38884; Package guix. (Sun, 20 Sep 2020 20:45:01 GMT) Full text and rfc822 format available.

Message #14 received at 38884 <at> debbugs.gnu.org (full text, mbox):

From: Brice Waegeneire via web <issues.guix.gnu.org <at> elephly.net>
To: 38884 <at> debbugs.gnu.org
Subject: guix system roll-back doesn't roll setuid-programs back
Date: Sun, 20 Sep 2020 22:43:48 +0200

Hello Guix,

"setuid-programs-service" extend the activation script which isn't loaded when rolling-back.

A difference between "reconfigure" and "switch-generation" (of which "roll-back" is just an useful alias) is that the former load the activation script (guix scripts system reconfigure switch-system-program) after switching the profile's symlinks and before installing the bootloader while the latter install the bootloader (guix scripts system switch-to-system-generation) then switch the symlinks (guix profiles switch-to-generation).  Fixing that could be done by loading the activation script after switching profiles, as "reconfigure" does.
I guess that loading the activation script again, on a already running running system, can have side effect but it shouldn't be an issue as it's already done by "reconfigure".

Cheers,
- Brice
bug closed, send any further explanations to 38884 <at> debbugs.gnu.org and Jakub Kądziołka <kuba <at> kadziolka.net> Request was from Brice Waegeneire <brice <at> waegenei.re> to control <at> debbugs.gnu.org. (Tue, 09 Mar 2021 06:18:01 GMT) Full text and rfc822 format available.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Tue, 06 Apr 2021 11:24:08 GMT) Full text and rfc822 format available.
This bug report was last modified 3 years and 13 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.