[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
08/09: doc: Expand ‘setuid-root’-only references.
From: |
guix-commits |
Subject: |
08/09: doc: Expand ‘setuid-root’-only references. |
Date: |
Wed, 8 Jun 2022 13:28:51 -0400 (EDT) |
nckx pushed a commit to branch master
in repository guix.
commit 7fe382892af614940f70a0ac57ed5976ff4e3da6
Author: Tobias Geerinckx-Rice <me@tobias.gr>
AuthorDate: Sun May 29 02:00:00 2022 +0200
doc: Expand ‘setuid-root’-only references.
* doc/guix.texi (Setuid Programs, Service Reference):
Don't assume setuid-root as the only possibility.
---
doc/guix.texi | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 96d545698f..ea133d519a 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -339,7 +339,7 @@ System Configuration
* Keyboard Layout:: How the system interprets key strokes.
* Locales:: Language and cultural convention settings.
* Services:: Specifying system services.
-* Setuid Programs:: Programs running with root privileges.
+* Setuid Programs:: Programs running with elevated privileges.
* X.509 Certificates:: Authenticating HTTPS servers.
* Name Service Switch:: Configuring libc's name service switch.
* Initial RAM Disk:: Linux-Libre bootstrapping.
@@ -15414,7 +15414,7 @@ instance to support new system services.
* Keyboard Layout:: How the system interprets key strokes.
* Locales:: Language and cultural convention settings.
* Services:: Specifying system services.
-* Setuid Programs:: Programs running with root privileges.
+* Setuid Programs:: Programs running with elevated privileges.
* X.509 Certificates:: Authenticating HTTPS servers.
* Name Service Switch:: Configuring libc's name service switch.
* Initial RAM Disk:: Linux-Libre bootstrapping.
@@ -35755,22 +35755,23 @@ Extra command line options for
@code{nix-service-type}.
@section Setuid Programs
@cindex setuid programs
-Some programs need to run with ``root'' privileges, even when they are
+@cindex setgid programs
+Some programs need to run with elevated privileges, even when they are
launched by unprivileged users. A notorious example is the
@command{passwd} program, which users can run to change their
password, and which needs to access the @file{/etc/passwd} and
@file{/etc/shadow} files---something normally restricted to root, for
-obvious security reasons. To address that, these executables are
-@dfn{setuid-root}, meaning that they always run with root privileges
+obvious security reasons. To address that, @command{passwd} should be
+@dfn{setuid-root}, meaning that it always runs with root privileges
(@pxref{How Change Persona,,, libc, The GNU C Library Reference Manual},
for more info about the setuid mechanism).
The store itself @emph{cannot} contain setuid programs: that would be a
security issue since any user on the system can write derivations that
populate the store (@pxref{The Store}). Thus, a different mechanism is
-used: instead of changing the setuid bit directly on files that are in
-the store, we let the system administrator @emph{declare} which programs
-should be setuid root.
+used: instead of changing the setuid or setgid bits directly on files that
+are in the store, we let the system administrator @emph{declare} which
+programs should be entrusted with these additional privileges.
The @code{setuid-programs} field of an @code{operating-system}
declaration contains a list of @code{<setuid-program>} denoting the
@@ -38000,7 +38001,7 @@ pointing to the given file.
@defvr {Scheme Variable} setuid-program-service-type
Type for the ``setuid-program service''. This service collects lists of
executable file names, passed as gexps, and adds them to the set of
-setuid-root programs on the system (@pxref{Setuid Programs}).
+setuid and setgid programs on the system (@pxref{Setuid Programs}).
@end defvr
@defvr {Scheme Variable} profile-service-type
- branch master updated (5124d0dbe0 -> ce21522706), guix-commits, 2022/06/08
- 02/09: gnu: synthv1: Update to 0.9.26., guix-commits, 2022/06/08
- 04/09: gnu: samplv1: Update to 0.9.26., guix-commits, 2022/06/08
- 01/09: gnu: emacs-org: Update to 9.5.4., guix-commits, 2022/06/08
- 03/09: gnu: drumkv1: Update to 0.9.26., guix-commits, 2022/06/08
- 08/09: doc: Expand ‘setuid-root’-only references.,
guix-commits <=
- 06/09: gnu: libnftnl: Update to 1.2.2., guix-commits, 2022/06/08
- 05/09: gnu: padthv1: Update to 0.9.26., guix-commits, 2022/06/08
- 09/09: gnu: sudo: Update to 1.9.11p1., guix-commits, 2022/06/08
- 07/09: gnu: nftables: Update to 1.0.4., guix-commits, 2022/06/08