GNU bug report logs -
#54811
[PATCH 0/3] Support socket activation in 'guix publish' and 'guix-daemon'
Previous Next
Reported by: Ludovic Courtès <ludo <at> gnu.org>
Date: Sat, 9 Apr 2022 09:13:01 UTC
Severity: normal
Tags: patch
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Ludovic Courtès schreef op ma 11-04-2022 om 22:33 [+0200]:
> > Ludovic Courtès schreef op ma 11-04-2022 om 11:48 [+0200]:
> > > > * bonus: except possibly for the secret key material, "guix
> > > > publish"
> > > > does not have to be started as root anymore even if uses
> > > > a
> > > > reserved port such as port 80 (assuming socket activation
> > > > is
> > > > used).
> > >
> > > But it does need to access the secret key…
> >
> > The ‘guix publish’ could be run as a separate, say, guix-publish
> > user,
> > and the secret key could be made readable to guix-publish.
>
> That doesn’t sound reasonable.
Why not? ‘guix publish’ needs read access to the secret key anyway.
Though then (if done with chown) ‘guix publish’ could modify the secret
key file, so maybe instead of making it ‘owned’ by the 'guix-publish'
user, maybe just set an ACL to allow read access from ‘guix-publish’
but not write access?
Though that seems to be more complex than just letting ‘guix publish’
open the file and change users by itself, so maybe not.
Greetings,
Maxime.
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 3 years and 38 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.