Programas con setuid (Manual de referencia de GNU Guix)

12.10 Programas con setuid

Some programs need to run with elevated privileges, even when they are launched by unprivileged users. A notorious example is the passwd program, which users can run to change their password, and which needs to access the /etc/passwd and /etc/shadow files—something normally restricted to root, for obvious security reasons. To address that, passwd should be setuid-root, meaning that it always runs with root privileges (see How Change Persona in The GNU C Library Reference Manual, for more info about the setuid mechanism).

The store itself cannot contain setuid programs: that would be a security issue since any user on the system can write derivations that populate the store (see El almacén). Thus, a different mechanism is used: instead of changing the setuid or setgid bits directly on files that are in the store, we let the system administrator declare which programs should be entrusted with these additional privileges.

The setuid-programs field of an operating-system declaration contains a list of <setuid-program> denoting the names of programs to have a setuid or setgid bit set (see Uso de la configuración del sistema). For instance, the mount.nfs program, which is part of the nfs-utils package, with a setuid root can be designated like this:

(setuid-program
  (program (file-append nfs-utils "/sbin/mount.nfs")))

And then, to make mount.nfs setuid on your system, add the previous example to your operating system declaration by appending it to %setuid-programs like this:

(operating-system
  ;; Some fields omitted...
  (setuid-programs
    (append (list (setuid-program
                    (program (file-append nfs-utils "/sbin/mount.nfs"))))
            %setuid-programs)))

Data Type: setuid-program

This data type represents a program with a setuid or setgid bit set.

program: A file-like object having its setuid and/or setgid bit set.
setuid? (default: #t): Whether to set user setuid bit.
setgid? (default: #f): Whether to set group setgid bit.
user (default: 0): UID (integer) or user name (string) for the user owner of the program, defaults to root.
group (default: 0): GID (integer) goup name (string) for the group owner of the program, defaults to root.

Un conjunto predeterminado de programas con el bit setuid se define en la variable %setuid-programs del módulo (gnu system).

Variable Scheme: %setuid-programs

A list of <setuid-program> denoting common programs that are setuid-root.

La lista incluye órdenes como passwd, ping, su y sudo.

Para su implementación, los programas con setuid reales se crean en el directorio /run/setuid-programs durante la activación del sistema. Los archivos en este directorio hacen referencia a los binarios “reales”, que están en el almacén.