Some programs need to run with “root” privileges, even when they are
launched by unprivileged users. A notorious example is the
passwd program, which users can run to change their
password, and which needs to access the /etc/passwd and
/etc/shadow files—something normally restricted to root, for
obvious security reasons. To address that, these executables are
setuid-root, meaning that they always run with root privileges
(see How Change Persona in The GNU C Library Reference Manual,
for more info about the setuid mechanism).
The store itself cannot contain setuid programs: that would be a security issue since any user on the system can write derivations that populate the store (see The Store). Thus, a different mechanism is used: instead of changing the setuid bit directly on files that are in the store, we let the system administrator declare which programs should be setuid root.
setuid-programs field of an
declaration contains a list of G-expressions denoting the names of
programs to be setuid-root (see Using the Configuration System).
For instance, the
passwd program, which is part of the Shadow
package, can be designated by this G-expression (see G-Expressions):
#~(string-append #$shadow "/bin/passwd")
A default set of setuid programs is defined by the
%setuid-programs variable of the
(gnu system) module.
A list of G-expressions denoting common programs that are setuid-root.
The list includes commands such as
Under the hood, the actual setuid programs are created in the /run/setuid-programs directory at system activation time. The files in this directory refer to the “real” binaries, which are in the store.