Some programs need to run with “root” privileges, even when they are
launched by unprivileged users. A notorious example is the
passwd program, which users can run to change their
password, and which needs to access the /etc/passwd and
/etc/shadow files—something normally restricted to root, for
obvious security reasons. To address that, these executables are
setuid-root, meaning that they always run with root privileges
(see How Change Persona in The GNU C Library Reference Manual,
for more info about the setuid mechanism).
The store itself cannot contain setuid programs: that would be a security issue since any user on the system can write derivations that populate the store (see The Store). Thus, a different mechanism is used: instead of changing the setuid bit directly on files that are in the store, we let the system administrator declare which programs should be setuid root.
setuid-programs field of an
declaration contains a list of
<setuid-program> denoting the
names of programs to have a setuid or setgid bit set (see Using the Configuration System). For instance, the
which is part of the Shadow package, with a setuid root can be
designated like this:
(setuid-program (program (file-append shadow "/bin/passwd")))
This data type represents a program with a setuid or setgid bit set.
A file-like object having its setuid and/or setgid bit set.
Whether to set user setuid bit.
Whether to set group setgid bit.
UID (integer) or user name (string) for the user owner of the program, defaults to root.
GID (integer) goup name (string) for the group owner of the program, defaults to root.
A default set of setuid programs is defined by the
%setuid-programs variable of the
(gnu system) module.
A list of
<setuid-program> denoting common programs that are
The list includes commands such as
Under the hood, the actual setuid programs are created in the /run/setuid-programs directory at system activation time. The files in this directory refer to the “real” binaries, which are in the store.