GNU bug report logs -
#54997
[PATCH 00/12] Add "least authority" program wrapper
Previous Next
Reported by: Ludovic Courtès <ludo <at> gnu.org>
Date: Sun, 17 Apr 2022 21:02:02 UTC
Severity: normal
Tags: patch
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
Maxime Devos <maximedevos <at> telenet.be> skribis:
> Ludovic Courtès schreef op zo 17-04-2022 om 23:04 [+0200]:
>> [...]
>>
>> (define (ipfs-binary config)
>> - (file-append (ipfs-configuration-package config) "/bin/ipfs"))
>> + (define command
>> + (file-append (ipfs-configuration-package config) "/bin/ipfs"))
>> +
>> + (least-authority-wrapper
>> + command
>> + #:name "ipfs"
>> + #:mappings (list %ipfs-home-mapping)
>> + #:namespaces (delq 'net %namespaces)))
>
> To simplify things later, could #:user "ipfs" and #:group "ipfs" be
> added to the least-authority wrapper (and implemented in the 'least-
> authority procedre)? Then ...
To me it’s setuid/setgid is beyond the scope of
‘least-authority-wrapper’. And indeed, this place is the only one that
needs it.
> would become simpler as it wouldn't need to fork, exec, waitpid and
> dynamic-wind. Alternatively, if associating a user and group with a
> pola wrapper is problematic (*), what do you think of defining a
> 'system*/with-capabilities' or 'invoke/with-capabilities' in a central
> location?
I’m not sure what these procedures would do.
I think we should build the house one brick at a time; this is the first
brick but I’m sure there’ll be others as we gain more experience and
clearer use cases.
Ludo’.
This bug report was last modified 3 years and 72 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.