Skip to content

Fixup various setuid/setgid permission problems, part 2 #26939

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Jun 30, 2017
Merged

Fixup various setuid/setgid permission problems, part 2 #26939

merged 11 commits into from
Jun 30, 2017
+39 −5

Conversation

dtzWill
Copy link
Member

@dtzWill dtzWill commented Jun 28, 2017

Motivation for this change

Fixes all but the Darwin-specific failure in qtsvg from the list of packages in #26600.

Things done
  • Tested using sandboxing
    (nix.useSandbox on NixOS,
    or option build-use-sandbox in nix.conf
    on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • Linux
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

Sorry, something went wrong.

dtzWill added 11 commits June 28, 2017 13:34
@dtzWill
mailman: Fix attempts to chmod g+s during installation

Unverified

This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
Learn about vigilant mode
179936d
@dtzWill
mailutils: Fix attempts to set unsupported ownership and perms

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
d339dc7
@dtzWill
mcron: Fix attempt to set +s during install
7492873
@dtzWill
netselect: Fix attempt to use unsupported permissions on files in store
59bf263
@dtzWill
wcslib: fix attempts to use unsupported permissions during install
15253a8
@dtzWill
kbdlight: Fix installation permissions
09d85c4 
Looks like NixOS creates a security wrapper for this already, FWIW.
@dtzWill
libutempter: Fixup unsupported permissions here as well
0d871bd
@dtzWill
leafnode: patch around setting special bits
ed0ac2f
@dtzWill
firejail: don't try to set setuid bit
707145a
@dtzWill
irods: Don't ask cmake to grant setuid permissions
8e5759e
@dtzWill
ddccontrol: Don't try to set special perms on ddcpci
bcaceab
@dtzWill dtzWill mentioned this pull request Jun 28, 2017
Closed
0xABAB
0xABAB reviewed Jun 28, 2017
View reviewed changes
pkgs/os-specific/linux/firejail/default.nix
@@ -27,7 +27,7 @@ stdenv.mkDerivation {
'';

preBuild = ''
sed -e "s@/etc/@$out/etc/@g" -i Makefile
sed -e "s@/etc/@$out/etc/@g" -e "/chmod u+s/d" -i Makefile
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't like differential rights management, so perhaps you could replace that.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change deletes the entire chmod u+s invocation entirely, which seems even better! (yes?)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I am sorry for wasting your time here.

0xABAB
0xABAB suggested changes Jun 28, 2017
View reviewed changes
Copy link
Contributor

@0xABAB 0xABAB left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would like to see some additional context in some comments about why the original package does things in a different way (i.e. with permission structures with 4 numbers) and how changing this on all platforms won't break things.

@dtzWill
Copy link
Member Author

dtzWill commented Jun 28, 2017

@0xABAB thanks for the review and comments. See #26600 for a bit of background, but basically for security reasons Nix no longer allows builders to set various permissions at any point during the build. Previously builders could "pretend" to set things like setsid but those permissions were purged after the build exited.

These changes should not change permissions on the completed outputs. The goal is to prevent security holes on builders that allow this behavior and un-break the build on hosts using newer Nix that disallows setting these permissions even temporarily.

Separately from working towards ensuring we're on the same page (above), is there something to be done to improve on these changes?

0xABAB
0xABAB approved these changes Jun 28, 2017
View reviewed changes
Copy link
Contributor

@0xABAB 0xABAB left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am very happy with how this was handled.

@joachifm joachifm merged commit 8604630 into NixOS:master Jun 30, 2017
@joachifm
Copy link
Contributor

Built locally. Thank you

@dtzWill
Copy link
Member Author

dtzWill commented Jun 30, 2017

Thanks for merging! 👍

@dtzWill dtzWill deleted the fix/perms-fallout-misc-2 branch June 30, 2017 17:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@0xABAB 0xABAB

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@dtzWill @joachifm @0xABAB