How to make a derivation's executables, have the +s permission?

doronbehar · August 12, 2020, 9:11pm

So today I learned something about mount: There’s a not well known feature of it, which allows specifying in fstab a bind mount with the users option, and this allows non root users to mount a directory on demand, without root permissions. Here’s where I learned it:

It appears (according to this discussion that mount needs to have these permissions in order to allow this feature:

-rwsr-xr-x 1 root root 66944 Aug 12 23:14 mount

The mount in the /nix/store doesn’t have these permissions (naturally). Therefor it is incapable of performing this operation. It can be verified if one runs:

cp $(readlink --canonicalize $(where mount)) ./
sudo chown root:root ./mount
sudo chmod u+ws ./mount

And then tries to run ./mount /local/dir vs mount /local/dir.

I’d like to write PR that will make utillinux set this permission to the mount executable. A glance at:

$ find -L /run/current-system/sw/bin -perm -4000
/run/current-system/sw/bin/unix_chkpwd

Suggests that this is the only executable we do set these permissions ? But I couldn’t find where it came from.

tokudan · August 12, 2020, 9:22pm

Files in /nix/store should never have setuid permissions. That’s always done through wrapper scripts that should be created automatically in NixOS that reside in /run/wrappers/bin.

$ which ping
/run/wrappers/bin/ping
$ which unix_chkpwd
/run/wrappers/bin/unix_chkpwd

This is configured through this option:
https://nixos.org/nixos/options.html#security.wrappers

It appears that this isn’t done for mount on NixOS. Not sure if that’s intentional or just an oversight.

doronbehar · August 12, 2020, 9:35pm

Hmm I see. So what do you think would be the best way to make this happen - via a new, enabled by default module? Or perhaps directly in utillinux itself? As in:

github.com

NixOS/nixpkgs/blob/800d9e77fe80c98b93e60a33e803f10d477f0664/pkgs/os-specific/linux/pam/default.nix#L35-L38

    
      
          postInstall = ''
            mv -v $out/sbin/unix_chkpwd{,.orig}
            ln -sv /run/wrappers/bin/unix_chkpwd $out/sbin/unix_chkpwd
          ''; /*

tokudan · August 12, 2020, 9:48pm

The derivation utillinux is unable to do it. It’s part of the system configuration.
The line you’re linking to only creates a link in sbin, which has no influence on the wrapper.
The actual wrapping happens through this:

github.com

NixOS/nixpkgs/blob/f9a5d8539d6210d273783686dca6314ddab57d12/nixos/modules/security/pam.nix#L802

    
      
            ++ optional config.services.sssd.enable pkgs.sssd
            ++ optionals config.krb5.enable [pam_krb5 pam_ccreds]
            ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]
            ++ optionals config.security.pam.oath.enable [ pkgs.oathToolkit ]
            ++ optionals config.security.pam.p11.enable [ pkgs.pam_p11 ]
            ++ optionals config.security.pam.u2f.enable [ pkgs.pam_u2f ];
          
          
boot.supportedFilesystems = optionals config.security.pam.enableEcryptfs [ "ecryptfs" ];
          
          
security.wrappers = {
            unix_chkpwd = {
              source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
              owner = "root";
              setuid = true;
            };
          };
          
          
environment.etc = mapAttrs' makePAMService config.security.pam.services;
          
          
security.pam.services =
            { other.text =

An easier example would be the mtr module, which only creates a wrapper.
https://github.com/NixOS/nixpkgs/blob/f9a5d8539d6210d273783686dca6314ddab57d12/nixos/modules/programs/mtr.nix

primeos · August 13, 2020, 10:24am

Maybe here would be a good option.

doronbehar · August 14, 2020, 5:43pm

Thanks @primeos, that was easy :), now live at: https://github.com/NixOS/nixpkgs/pull/95444 .