Some programs need to run with elevated privileges, even when they are
launched by unprivileged users. A notorious example is the passwd
program, which users can run to change their password, and which needs to
access the /etc/passwd and /etc/shadow files—something
normally restricted to root, for obvious security reasons. To address that,
passwd
should be setuid-root, meaning that it always runs
with root privileges (see How Change Persona in The GNU C Library
Reference Manual, for more info about the setuid mechanism).
The store itself cannot contain setuid programs: that would be a security issue since any user on the system can write derivations that populate the store (see 仓库). Thus, a different mechanism is used: instead of changing the setuid or setgid bits directly on files that are in the store, we let the system administrator declare which programs should be entrusted with these additional privileges.
The setuid-programs
field of an operating-system
declaration
contains a list of <setuid-program>
denoting the names of programs to
have a setuid or setgid bit set (see 使用配置系统).
For instance, the mount.nfs
program, which is part of the
nfs-utils package, with a setuid root can be designated like this:
(setuid-program
(program (file-append nfs-utils "/sbin/mount.nfs")))
And then, to make mount.nfs
setuid on your system, add the
previous example to your operating system declaration by appending it to
%setuid-programs
like this:
(operating-system
;; Some fields omitted...
(setuid-programs
(append (list (setuid-program
(program (file-append nfs-utils "/sbin/mount.nfs"))))
%setuid-programs)))
This data type represents a program with a setuid or setgid bit set.
program
A file-like object having its setuid and/or setgid bit set.
setuid?
(default: #t
)Whether to set user setuid bit.
setgid?
(default: #f
)Whether to set group setgid bit.
user
(default: 0
)UID (integer) or user name (string) for the user owner of the program, defaults to root.
group
(default: 0
)GID (integer) goup name (string) for the group owner of the program, defaults to root.
A default set of setuid programs is defined by the %setuid-programs
variable of the (gnu system)
module.
A list of <setuid-program>
denoting common programs that are
setuid-root.
The list includes commands such as passwd
, ping
,
su
, and sudo
.
Under the hood, the actual setuid programs are created in the /run/setuid-programs directory at system activation time. The files in this directory refer to the “real” binaries, which are in the store.