GNU bug report logs - #54997
[PATCH 00/12] Add "least authority" program wrapper

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Sun, 17 Apr 2022 21:02:02 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #44 received at 54997 <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: Ludovic Courtès <ludo <at> gnu.org>, 54997 <at> debbugs.gnu.org
Subject: Re: [bug#54997] [PATCH 09/12] services: ipfs: Use
 'least-authority-wrapper'.
Date: Mon, 18 Apr 2022 11:08:02 +0200

[Message part 1 (text/plain, inline)]
Ludovic Courtès schreef op zo 17-04-2022 om 23:04 [+0200]:
> [...]
>  
>  (define (ipfs-binary config)
> -  (file-append (ipfs-configuration-package config) "/bin/ipfs"))
> +  (define command
> +    (file-append (ipfs-configuration-package config) "/bin/ipfs"))
> +
> +  (least-authority-wrapper
> +   command
> +   #:name "ipfs"
> +   #:mappings (list %ipfs-home-mapping)
> +   #:namespaces (delq 'net %namespaces)))

To simplify things later, could #:user "ipfs" and #:group "ipfs" be
added to the least-authority wrapper (and implemented in the 'least-
authority procedre)?  Then ...

> +  (define (exec-command . args)
> +    ;; Exec the given ifps command with the right authority.
> +    #~(let ((pid (primitive-fork)))
> +        (if (zero? pid)
> +            (dynamic-wind
> +              (const #t)
> +              (lambda ()
> +                ;; Run ipfs init and ipfs config from a container,
> +                ;; in case the IPFS daemon was compromised at some
point
> +                ;; and ~/.ipfs is now a symlink to somewhere outside
> +                ;; %ipfs-home.
> +                (let ((pw (getpwnam "ipfs")))
> +                  (setgroups '#())
> +                  (setgid (passwd:gid pw))
> +                  (setuid (passwd:uid pw))
> +                  (environ #$%ipfs-environment)
> +                  (execl #$(ipfs-binary config) #$@args)))
> +              (lambda ()
> +                (primitive-exit 127)))
> +            (waitpid pid))))

would become simpler as it wouldn't need to fork, exec, waitpid and
dynamic-wind.  Alternatively, if associating a user and group with a
pola wrapper is problematic (*), what do you think of defining a
'system*/with-capabilities' or 'invoke/with-capabilities' in a central
location?

Greetings,
Maxime.

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 3 years and 72 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.