Next: X.509 Certificates, Previous: Services, Up: System Configuration [Contents][Index]
Some programs need to run with elevated privileges, even when they are
launched by unprivileged users. A notorious example is the
passwd
program, which users can run to change their
password, and which needs to access the /etc/passwd and
/etc/shadow files—something normally restricted to root, for
obvious security reasons. To address that, passwd
should be
setuid-root, meaning that it always runs with root privileges
(see How Change Persona in The GNU C Library Reference Manual,
for more info about the setuid mechanism).
The store itself cannot contain privileged programs: that would be a security issue since any user on the system can write derivations that populate the store (see The Store). Thus, a different mechanism is used: instead of directly granting permissions to files that are in the store, we let the system administrator declare which programs should be entrusted with these additional privileges.
The privileged-programs
field of an operating-system
declaration contains a list of <privileged-program>
denoting the
names of programs to have a setuid or setgid bit set (see Using the Configuration System). For instance, the mount.nfs
program,
which is part of the nfs-utils package, with a setuid root can be
designated like this:
(privileged-program
(program (file-append nfs-utils "/sbin/mount.nfs"))
(setuid? #t))
And then, to make mount.nfs
setuid on your system, add the
previous example to your operating system declaration by appending it to
%default-privileged-programs
like this:
(operating-system
;; Some fields omitted...
(privileged-programs
(append (list (privileged-program
(program (file-append nfs-utils "/sbin/mount.nfs"))
(setuid? #t))
%default-privileged-programs)))
This data type represents a program with special privileges, such as setuid
program
A file-like object to which all given privileges should apply.
setuid?
(default: #f
)Whether to set user setuid bit.
setgid?
(default: #f
)Whether to set group setgid bit.
user
(default: 0
)UID (integer) or user name (string) for the user owner of the program, defaults to root.
group
(default: 0
)GID (integer) group name (string) for the group owner of the program, defaults to root.
capabilities
(default: #f
)A string representing the program’s POSIX capabilities, as described by
the cap_to_text(3)
man page from the libcap package, or #f
to make no changes.
A default set of privileged programs is defined by the
%default-privileged-programs
variable of the (gnu system)
module.
A list of <privileged-program>
denoting common programs with
elevated privileges.
The list includes commands such as passwd
, ping
,
su
, and sudo
.
Under the hood, the actual privileged programs are created in the /run/privileged/bin directory at system activation time. The files in this directory refer to the “real” binaries, which are in the store.
Next: X.509 Certificates, Previous: Services, Up: System Configuration [Contents][Index]