GNU bug report logs - #32141
[PATCH] services: Add ddclient service.

Previous Next

Package: guix-patches;

Reported by: Oleg Pykhalov <go.wigust <at> gmail.com>

Date: Fri, 13 Jul 2018 15:00:02 UTC

Severity: normal

Tags: patch

Done: Oleg Pykhalov <go.wigust <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #14 received at 32141 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Oleg Pykhalov <go.wigust <at> gmail.com>
Cc: 32141 <at> debbugs.gnu.org
Subject: Re: [bug#32141] [PATCH] services: Add ddclient service.
Date: Thu, 26 Jul 2018 10:51:30 +0200

Hi Oleg,

Oleg Pykhalov <go.wigust <at> gmail.com> skribis:

> ludo <at> gnu.org (Ludovic Courtès) writes:

[...]

>>> +@subsubheading ddclient Service
>>> +
>>> +@cindex ddclient
>>> +@uref{https://sourceforge.net/projects/ddclient/, ddclient} is an address
>>> +updating utility for dynamic DNS services.
>>
>> It would be nice to expound a bit, like:
>>
>>   The ddclient service described below runs the ddclient daemon, which
>>   takes care of automatically updating DNS entries for service providers
>>   such as DynDNS.com.
>
> OK.  I improved little bit with “such as @uref{https://dyn.com/dns/,
> Dyn}.” if you don't mind.

Sure.

>> Does it run as root?  If there’s no option to run it (mostly) as
>> non-root, perhaps it would make sense to try using
>> ‘make-forkexec-constructor/container’ here (as a separate patch.)
>>
>> WDYT?
>
> It did run as root.  I've succeeded to run it with ‘ddclient’ user.

Awesome.

> Also, the generated ‘ddclient.conf’ which contains secrets is stored in
> the store.  I probably should change the ‘ddclient-activation’ procedure
>
> (copy-file #$(plain-file "ddclient.conf" config-str) file)
>
> to a procedure which writes ‘config-str’ to the file without storing it
> somewhere else.  WDYT?

The problem would be the same: the activation script would contain
‘config-str’, and it would live in the store.

In short we must not manipulate secrets in anything that goes through
the store.  The only thing I can suggest is to leave it up to the
user to create a file containing the secret in an out-of-band fashion;
/etc is a good place for such things.

For example, they could create /etc/ddclient-secrets and then we would
somehow arrange to get that file read.

To do that there are two possibilities that come to mind:

  1. If the config file syntax has an “include” directive, just include
     /etc/ddclient-secrets unconditionally in the generated config file.

  2. Write an activation snippet that concatenates the generated config
     file with /etc/ddclient-secrets and stores that as
     /etc/ddclient.conf (or something like that.)

Thoughts?

Ludo’.
This bug report was last modified 6 years and 271 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.