Commit graph

8 commits

Author SHA1 Message Date
Ludovic Courtès 5229399617 setuid-wrapper: Disallow empty `.real' files.
svn path=/nixos/trunk/; revision=11122
2008-03-14 13:10:30 +00:00
Ludovic Courtès bfbe92236a Remove remaining `abort ()'.
svn path=/nixos/trunk/; revision=10680
2008-02-14 11:44:54 +00:00
Ludovic Courtès bdc729ea6c Use assert (!C)' instead of if (C) abort ();' in setuid wrappers.
svn path=/nixos/trunk/; revision=10679
2008-02-14 11:08:06 +00:00
Eelco Dolstra a05d842575 * Close fdSelf.
svn path=/nixos/trunk/; revision=10678
2008-02-14 10:56:14 +00:00
Eelco Dolstra 2fc94b76fe * Eliminate all calls to config.get.
svn path=/nixos/trunk/; revision=9619
2007-11-09 18:49:45 +00:00
Eelco Dolstra a66bae7b2f * Strip.
svn path=/nixos/trunk/; revision=7164
2006-11-28 17:40:56 +00:00
Eelco Dolstra 39ac293b58 * Create setuid wrappers for a few programs (su and passwd). This is
still a bit ad hoc, but it works.

svn path=/nixos/trunk/; revision=7163
2006-11-28 17:34:27 +00:00
Eelco Dolstra cba92bbdf1 * First step towards setuid/setgid support: a setuid/setgid wrapper
program.

  The Nix store cannot directly support setuid binaries for a number
  of reasons:

  - Builds are generally not performed as root (and they shouldn't
    be), so the builder cannot chown/chmod executables to the right
    setuid ownership.

  - Unpacking a NAR archive containing a setuid binary would only work
    when Nix is run as root.

  - Worst of all, setuid binaries don't fit in the purely functional
    model: if a security bug is discovered in a setuid binary, that
    binary should be removed from the system to prevent users from
    calling it.  But we cannot garbage collect it unless all
    references to it are gone, which might never happen.  Of course,
    we could just remove setuid permission, but that would also be
    impure.

  So the solution is to keep setuid-ness out of the Nix store.
  Rather, for programs that we want to execute as setuid, we generate
  wrapper programs (as root) that are setuid and do an execve() to
  call the real, non-setuid program in the Nix store.

  That's what setuid-wrapper does.  It determines its own name (e.g.,
  /var/setuid-wrappers/passwd), reads the name of the wrapped program
  from <self>.real (e.g., /var/setuid-wrappers/passwd.real, which
  might contain /nix/var/nix/profiles/system/bin/passwd), and executes
  it.  Thus, the non-setuid passwd in the Nix store would be executed
  with the effective user set to root.

  Setuid-wrapper also performs a few security checks to prevent it
  from reading a fake <self>.real file through hard-linking tricks.

svn path=/nixos/trunk/; revision=7157
2006-11-28 13:36:27 +00:00