Why `newgidmap` is in my $PATH ? (a question about binaires..)

bew · September 20, 2023, 10:48pm

Hello everyone!

Context: Ultimately I would like to better control what binaries are exposed in my CLI environment, thus reducing drastically what is exposed in $PATH. With a profile/usecase-based escape hatch to access certain binaries I don’t normally have.

While checking availability of some command name (for my own scripts and tools), new<TAB> gave me:
newgidmap newgidmap.real newgrp newgrp.real newuidmap newuidmap.real newusers

=> Loads of binaries I will never use in my day-to-day use of the computer!
So today is the day I ask:

Why are these binaries in my $PATH ?
What includes them here, are they required for something?
Can I remove them from my $PATH ? (at which level? at what cost?)

You can find my current single-file OS config at GitHub - bew/nixos-config: My NixOS configs ;), it’s quite straightforward, nothing weird I think that could import such kinds of binaries so it must come from the base system modules?

abathur · September 21, 2023, 1:33am

$ type -p newgidmap newgidmap.real newgrp newgrp.real newuidmap newuidmap.real newusers
/run/wrappers/bin/newgidmap
/run/wrappers/bin/newgidmap.real
/run/wrappers/bin/newgrp
/run/wrappers/bin/newgrp.real
/run/wrappers/bin/newuidmap
/run/wrappers/bin/newuidmap.real
/run/current-system/sw/bin/newusers

$ head /run/wrappers/bin/{newgidmap,newgrp,newuidmap}.real
==> /run/wrappers/bin/newgidmap.real <==
/nix/store/...-shadow-.../bin/newgidmap
==> /run/wrappers/bin/newgrp.real <==
/nix/store/...-shadow-.../bin/newgrp
==> /run/wrappers/bin/newuidmap.real <==
/nix/store/...-shadow-.../bin/newuidmap

$ sudo grep -- -shadow- /run/wrappers/bin/*
/run/wrappers/bin/chsh.real:/nix/store/...-shadow-.../bin/chsh
/run/wrappers/bin/newgidmap.real:/nix/store/...-shadow-.../bin/newgidmap
/run/wrappers/bin/newgrp.real:/nix/store/...-shadow-.../bin/newgrp
/run/wrappers/bin/newuidmap.real:/nix/store/...-shadow-.../bin/newuidmap
/run/wrappers/bin/passwd.real:/nix/store/...-shadow-.../bin/passwd
/run/wrappers/bin/sg.real:/nix/store/...-shadow-.../bin/sg
/run/wrappers/bin/su.real:/nix/store/...-shadow-...-su/bin/su

$ readlink /run/current-system/sw/bin/newusers
/nix/store/...-shadow-.../bin/newusers

$ ls /nix/store/...-shadow-.../bin/
chage
chfn
chgpasswd
chpasswd
chsh
expiry
faillog
getsubids
gpasswd
groupadd
groupdel
groupmems
groupmod
grpck
grpconv
grpunconv
lastlog
login
logoutd
newgidmap
newgrp
newuidmap
newusers
nologin
passwd
pwck
pwconv
pwunconv
sg
useradd
userdel
usermod
vigr
vipw

github.com

NixOS/nixpkgs/blob/a2bd03109005b550fda6b8bcb5b60798052556a8/nixos/modules/programs/shadow.nix#L228-L236


      
            su = mkSetuidRoot "${cfg.package.su}/bin/su";
            sg = mkSetuidRoot "${cfg.package.out}/bin/sg";
            newgrp = mkSetuidRoot "${cfg.package.out}/bin/newgrp";
            newuidmap = mkSetuidRoot "${cfg.package.out}/bin/newuidmap";
            newgidmap = mkSetuidRoot "${cfg.package.out}/bin/newgidmap";
          }
          // optionalAttrs config.users.mutableUsers {
            chsh = mkSetuidRoot "${cfg.package.out}/bin/chsh";
            passwd = mkSetuidRoot "${cfg.package.out}/bin/passwd";

github.com

NixOS/nixpkgs/blob/b56dcfac679d4a958c41d0fb617a9d746ff24bd4/pkgs/os-specific/linux/shadow/default.nix#L19


      
          , withTcb ? lib.meta.availableOn stdenv.hostPlatform tcb, tcb
          }:
          let
            glibc =
              if stdenv.hostPlatform != stdenv.buildPlatform then glibcCross
              else assert stdenv.hostPlatform.libc == "glibc"; stdenv.cc.libc;
          
          
in
          
          
stdenv.mkDerivation rec {
            pname = "shadow";
            version = "4.13";
          
          
  src = fetchFromGitHub {
              owner = "shadow-maint";
              repo = pname;
              rev = version;
              sha256 = "sha256-L54DhdBYthfB9436t/XWXiqKhW7rfd0GLS7pYGB32rA=";
            };
          
          
  outputs = [ "out" "su" "dev" "man" ];

bew · September 23, 2023, 5:51pm

Thanks for the deep dive and the commands

I’ll play with that.