summary refs log tree commit diff
path: root/etc
diff options
context:
space:
mode:
Diffstat (limited to 'etc')
-rwxr-xr-xetc/committer.scm.in152
-rwxr-xr-xetc/guix-install.sh9
-rw-r--r--etc/news.scm94
3 files changed, 209 insertions, 46 deletions
diff --git a/etc/committer.scm.in b/etc/committer.scm.in
index ebe6b96bcc..1f19ccfd6d 100755
--- a/etc/committer.scm.in
+++ b/etc/committer.scm.in
@@ -3,7 +3,7 @@
 !#
 
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2020 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2020, 2021 Ricardo Wurmus <rekado@elephly.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -28,7 +28,10 @@
 
 (import (sxml xpath)
         (srfi srfi-1)
+        (srfi srfi-2)
         (srfi srfi-9)
+        (srfi srfi-11)
+        (srfi srfi-26)
         (ice-9 format)
         (ice-9 popen)
         (ice-9 match)
@@ -63,7 +66,8 @@ LINE-NO in PORT."
   (make-hunk file-name
              old-line-number
              new-line-number
-             diff)
+             diff-lines
+             definition?)
   hunk?
   (file-name       hunk-file-name)
   ;; Line number before the change
@@ -71,38 +75,45 @@ LINE-NO in PORT."
   ;; Line number after the change
   (new-line-number hunk-new-line-number)
   ;; The full diff to be used with "git apply --cached"
-  (diff hunk-diff))
+  (diff-lines hunk-diff-lines)
+  ;; Does this hunk add a definition?
+  (definition? hunk-definition?))
 
 (define* (hunk->patch hunk #:optional (port (current-output-port)))
   (let ((file-name (hunk-file-name hunk)))
     (format port
             "diff --git a/~a b/~a~%--- a/~a~%+++ b/~a~%~a"
             file-name file-name file-name file-name
-            (hunk-diff hunk))))
+            (string-join (hunk-diff-lines hunk) ""))))
 
 (define (diff-info)
   "Read the diff and return a list of <hunk> values."
   (let ((port (open-pipe* OPEN_READ
-                          "git" "diff"
+                          "git" "diff-files"
                           "--no-prefix"
-                          ;; Do not include any context lines.  This makes it
-                          ;; easier to find the S-expression surrounding the
-                          ;; change.
-                          "--unified=0")))
+                          ;; Only include one context line to avoid lumping in
+                          ;; new definitions with changes to existing
+                          ;; definitions.
+                          "--unified=1"
+                          "gnu")))
     (define (extract-line-number line-tag)
       (abs (string->number
             (car (string-split line-tag #\,)))))
     (define (read-hunk)
-      (reverse
-       (let loop ((lines '()))
-         (let ((line (read-line port 'concat)))
-           (cond
-            ((eof-object? line) lines)
-            ((or (string-prefix? "@@ " line)
-                 (string-prefix? "diff --git" line))
-             (unget-string port line)
-             lines)
-            (else (loop (cons line lines))))))))
+      (let loop ((lines '())
+                 (definition? #false))
+        (let ((line (read-line port 'concat)))
+          (cond
+           ((eof-object? line)
+            (values (reverse lines) definition?))
+           ((or (string-prefix? "@@ " line)
+                (string-prefix? "diff --git" line))
+            (unget-string port line)
+            (values (reverse lines) definition?))
+           (else
+            (loop (cons line lines)
+                  (or definition?
+                      (string-prefix? "+(define" line))))))))
     (define info
       (let loop ((acc '())
                  (file-name #f))
@@ -116,29 +127,42 @@ LINE-NO in PORT."
            ((string-prefix? "@@ " line)
             (match (string-split line #\space)
               ((_ old-start new-start . _)
-               (loop (cons (make-hunk file-name
-                                      (extract-line-number old-start)
-                                      (extract-line-number new-start)
-                                      (string-join (cons* line "\n"
-                                                          (read-hunk)) ""))
-                           acc)
-                     file-name))))
+               (let-values
+                   (((diff-lines definition?) (read-hunk)))
+                 (loop (cons (make-hunk file-name
+                                        (extract-line-number old-start)
+                                        (extract-line-number new-start)
+                                        (cons (string-append line "\n")
+                                              diff-lines)
+                                        definition?) acc)
+                       file-name)))))
            (else (loop acc file-name))))))
     (close-pipe port)
     info))
 
+(define (lines-to-first-change hunk)
+  "Return the number of diff lines until the first change."
+  (1- (count (lambda (line)
+               ((negate char-set-contains?)
+                (char-set #\+ #\-)
+                (string-ref line 0)))
+             (hunk-diff-lines hunk))))
+
 (define (old-sexp hunk)
   "Using the diff information in HUNK return the unmodified S-expression
 corresponding to the top-level definition containing the staged changes."
   ;; TODO: We can't seek with a pipe port...
   (let* ((port (open-pipe* OPEN_READ
-                           "git" "show" (string-append "HEAD:"
-                                                       (hunk-file-name hunk))))
+                           "git" "cat-file" "-p" (string-append
+                                                  "HEAD:"
+                                                  (hunk-file-name hunk))))
          (contents (get-string-all port)))
     (close-pipe port)
     (call-with-input-string contents
       (lambda (port)
-        (surrounding-sexp port (hunk-old-line-number hunk))))))
+        (surrounding-sexp port
+                          (+ (lines-to-first-change hunk)
+                             (hunk-old-line-number hunk)))))))
 
 (define (new-sexp hunk)
   "Using the diff information in HUNK return the modified S-expression
@@ -146,9 +170,10 @@ corresponding to the top-level definition containing the staged changes."
   (call-with-input-file (hunk-file-name hunk)
     (lambda (port)
       (surrounding-sexp port
-                        (hunk-new-line-number hunk)))))
+                        (+ (lines-to-first-change hunk)
+                           (hunk-new-line-number hunk))))))
 
-(define* (commit-message file-name old new #:optional (port (current-output-port)))
+(define* (change-commit-message file-name old new #:optional (port (current-output-port)))
   "Print ChangeLog commit message for changes between OLD and NEW."
   (define (get-values expr field)
     (match ((sxpath `(// ,field quasiquote *)) expr)
@@ -193,6 +218,12 @@ corresponding to the top-level definition containing the staged changes."
                                          (listify added)))))))))
             '(inputs propagated-inputs native-inputs)))
 
+(define* (add-commit-message file-name variable-name #:optional (port (current-output-port)))
+  "Print ChangeLog commit message for a change to FILE-NAME adding a definition."
+  (format port
+          "gnu: Add ~a.~%~%* ~a (~a): New variable.~%"
+          variable-name file-name variable-name))
+
 (define (group-hunks-by-sexp hunks)
   "Return a list of pairs associating all hunks with the S-expression they are
 modifying."
@@ -218,14 +249,45 @@ modifying."
           (cons* new (old-sexp (first hunks)) hunks)))
        (group-hunks-by-sexp hunks)))
 
+(define %delay 1000)
+
 (define (main . args)
   (match (diff-info)
     (()
-     (display "Nothing to be done." (current-error-port)))
+     (display "Nothing to be done.\n" (current-error-port)))
     (hunks
-     (for-each (match-lambda
-                 ((new old . hunks)
-                  (for-each (lambda (hunk)
+     (let-values
+         (((definitions changes)
+           (partition hunk-definition? hunks)))
+
+       ;; Additions.
+       (for-each (lambda (hunk)
+                   (and-let*
+                       ((define-line (find (cut string-prefix? "+(define" <>)
+                                           (hunk-diff-lines hunk)))
+                        (variable-name (and=> (string-tokenize define-line) second)))
+                     (add-commit-message (hunk-file-name hunk) variable-name)
+                     (let ((port (open-pipe* OPEN_WRITE                   
+                                             "git" "apply"                
+                                             "--cached"                   
+                                             "--unidiff-zero")))          
+                       (hunk->patch hunk port)                            
+                       (unless (eqv? 0 (status:exit-val (close-pipe port))) 
+                         (error "Cannot apply")))
+
+                     (let ((port (open-pipe* OPEN_WRITE "git" "commit" "-F" "-")))
+                       (add-commit-message (hunk-file-name hunk)
+                                           variable-name port)
+                       (usleep %delay)
+                       (unless (eqv? 0 (status:exit-val (close-pipe port)))
+                         (error "Cannot commit"))))
+                   (usleep %delay))
+                 definitions)
+
+       ;; Changes.
+       (for-each (match-lambda
+                   ((new old . hunks)
+                    (for-each (lambda (hunk)
                                 (let ((port (open-pipe* OPEN_WRITE
                                                         "git" "apply"
                                                         "--cached"
@@ -233,18 +295,20 @@ modifying."
                                   (hunk->patch hunk port)
                                   (unless (eqv? 0 (status:exit-val (close-pipe port)))
                                     (error "Cannot apply")))
-                                (sleep 1))
+                                (usleep %delay))
                               hunks)
-                    (commit-message (hunk-file-name (first hunks))
-                                    old new
-                                    (current-output-port))
+                    (change-commit-message (hunk-file-name (first hunks))
+                                           old new
+                                           (current-output-port))
                     (let ((port (open-pipe* OPEN_WRITE "git" "commit" "-F" "-")))
-                      (commit-message (hunk-file-name (first hunks))
-                                      old new
-                                      port)
-                      (sleep 1)
+                      (change-commit-message (hunk-file-name (first hunks))
+                                             old new
+                                             port)
+                      (usleep %delay)
                       (unless (eqv? 0 (status:exit-val (close-pipe port)))
                         (error "Cannot commit")))))
-               (new+old+hunks hunks)))))
+                 ;; XXX: we recompute the hunks here because previous
+                 ;; insertions lead to offsets.
+                 (new+old+hunks (diff-info)))))))
 
 (main)
diff --git a/etc/guix-install.sh b/etc/guix-install.sh
index c84e7b7577..949ef7719f 100755
--- a/etc/guix-install.sh
+++ b/etc/guix-install.sh
@@ -330,15 +330,20 @@ sys_create_build_user()
         _msg "${PAS}group <guixbuild> created"
     fi
 
+    if [ $(getent group kvm) ]; then
+        _msg "${INF}group kvm exists and build users will be added to it"
+	local KVMGROUP=,kvm
+    fi
+
     for i in $(seq -w 1 10); do
         if id "guixbuilder${i}" &>/dev/null; then
             _msg "${INF}user is already in the system, reset"
-            usermod -g guixbuild -G guixbuild           \
+            usermod -g guixbuild -G guixbuild${KVMGROUP}     \
                     -d /var/empty -s "$(which nologin)" \
                     -c "Guix build user $i"             \
                     "guixbuilder${i}";
         else
-            useradd -g guixbuild -G guixbuild           \
+            useradd -g guixbuild -G guixbuild${KVMGROUP}     \
                     -d /var/empty -s "$(which nologin)" \
                     -c "Guix build user $i" --system    \
                     "guixbuilder${i}";
diff --git a/etc/news.scm b/etc/news.scm
index deedc69f6e..65d83061df 100644
--- a/etc/news.scm
+++ b/etc/news.scm
@@ -12,6 +12,8 @@
 ;; Copyright © 2020, 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
 ;; Copyright © 2021 Leo Famulari <leo@famulari.name>
 ;; Copyright © 2021 Zhu Zihao <all_but_last@163.com>
+;; Copyright © 2021 Chris Marusich <cmmarusich@gmail.com>
+;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
 ;;
 ;; Copying and distribution of this file, with or without modification, are
 ;; permitted in any medium without royalty provided the copyright notice and
@@ -20,6 +22,98 @@
 (channel-news
  (version 0)
 
+ (entry (commit "2161820ebbbab62a5ce76c9101ebaec54dc61586")
+        (title
+         (en "Risk of local privilege escalation during user account creation")
+         (de "Risiko lokaler Rechteausweitung während der Erstellung von Benutzerkonten"))
+        (body
+         (en "A security vulnerability that can lead to local privilege
+escalation has been found in the code that creates user accounts on Guix
+System---Guix on other distros is unaffected.  The system is only vulnerable
+during the activation of user accounts that do not already exist.
+
+This bug is fixed and Guix System users are advised to upgrade their system,
+with a command along the lines of:
+
+@example
+guix system reconfigure /run/current-system/configuration.scm
+@end example
+
+The attack can happen when @command{guix system reconfigure} is running.
+Running @command{guix system reconfigure} can trigger the creation of new user
+accounts if the configuration specifies new accounts.  If a user whose account
+is being created manages to log in after the account has been created but
+before ``skeleton files'' copied to its home directory have the right
+ownership, they may, by creating an appropriately-named symbolic link in the
+home directory pointing to a sensitive file, such as @file{/etc/shadow}, get
+root privileges.
+
+See @uref{https://issues.guix.gnu.org/47584} for more information on this
+bug.")
+         (de "Eine Sicherheitslücke, die eine lokale Rechteausweitung zur
+Folge haben kann, wurde in dem Code gefunden, mit dem Benutzerkonten auf Guix
+System angelegt werden — Guix auf anderen Distributionen ist nicht betroffen.
+Das System kann nur während der Aktivierung noch nicht existierender
+Benutzerkonten angegriffen werden.
+
+Der Fehler wurde behoben und wir empfehlen Nutzern von Guix System, ihre
+Systeme zu aktualisieren, mit einem Befehl wie:
+
+@example
+guix system reconfigure /run/current-system/configuration.scm
+@end example
+
+Der Angriff kann erfolgen, während @command{guix system reconfigure} läuft.
+Wenn @command{guix system reconfigure} ausgeführt wird, kann das die Erzeugung
+neuer Benutzerkonten auslösen, wenn in der Konfiguration neue Konten angegeben
+wurden.  Wenn ein Benutzer, dessen Konto gerade angelegt wird, es
+fertigbringt, sich anzumelden, bevor „Skeleton-Dateien“ in seinem Persönlichen
+Verzeichnis den richtigen Besitzer haben, kann er durch Anlegen einer gezielt
+benannten symbolischen Verknüpfung in seinem Persönlichen Verzeichnis auf eine
+sensible Datei wie @file{/etc/shadow} Administratorrechte erlangen.
+
+Siehe @uref{https://issues.guix.gnu.org/47584} für mehr Informationen zu
+diesem Fehler.")))
+
+ (entry (commit "e52ec6c64a17a99ae4bb6ff02309067499915b06")
+        (title
+         (en "New supported platform: powerpc64le-linux")
+         (de "Neue Plattform wird unterstützt: powerpc64le-linux")
+         (fr "Nouvelle plate-forme prise en charge : powerpc64le-linux"))
+        (body
+         (en "A new platform, powerpc64le-linux, has been added for
+little-endian 64-bit Power ISA processors using the Linux-Libre kernel.  This
+includes POWER9 systems such as the
+@uref{https://www.fsf.org/news/talos-ii-mainboard-and-talos-ii-lite-mainboard-now-fsf-certified-to-respect-your-freedom,
+RYF Talos II mainboard}. This platform is available as a \"technology
+preview\": although it is supported, substitutes are not yet available from
+the build farm, and some packages may fail to build.  In addition, Guix System
+is not yet available on this platform.  That said, the Guix community is
+actively working on improving this support, and now is a great time to try it
+and get involved!")
+         (de "Eine neue Plattform, powerpc64le-linux, wurde hinzugefügt. Mit
+ihr können Prozessoren mit 64-Bit-Power-Befehlssatz, little-endian, mit dem
+Linux-Libre-Kernel betrieben werden.  Dazu gehören POWER9-Systeme wie die
+@uref{https://www.fsf.org/news/talos-ii-mainboard-and-talos-ii-lite-mainboard-now-fsf-certified-to-respect-your-freedom,
+RYF-zertifizierte Talos-II-Hauptplatine}.  Bei der Plattform handelt es sich
+um eine „Technologievorschau“; obwohl sie unterstützt wird, gibt es noch keine
+Substitute von der Erstellungsfarm und bei manchen Paketen könnte die
+Erstellung fehlschlagen.  Des Weiteren ist Guix System auf dieser Plattform
+noch nicht verfügbar.  Dennoch arbeitet die Guix-Gemeinde aktiv daran, diese
+Unterstützung auszubauen, und jetzt ist eine gute Gelegenheit, sie
+auszuprobieren und mitzumachen!")
+         (fr "Une nouvelle plate-forme, powerpc64le-linux, a été ajoutée pour
+les processeurs POWER 64-bits utilisant le noyau Linux-libre.  Ça inclut les
+systèmes POWER9 tels que les
+@uref{https://www.fsf.org/news/talos-ii-mainboard-and-talos-ii-lite-mainboard-now-fsf-certified-to-respect-your-freedom,
+cartes Talos II RYF}.  Il s'agit pour le moment d'un « avant-goût » de la
+technologie : bien que la plate-forme soit prise en charge, la ferme de
+compilation ne fournit pas encore de substituts et certains paquets risquent
+de ne pas compiler.  En outre, Guix System n'est pas encore disponible sur
+cette plate-forme.  Ceci dit, la communauté Guix travaille activement pour
+améliorer cette prise en charge et c'est maintenant un bon moment pour
+l'essayer et pour s'impliquer !")))
+
  (entry (commit "9ade2b720af91acecf76278b4d9b99ace406781e")
         (title
          (en "Update on previous @command{guix-daemon} local privilege escalation")